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Preface 



This book is the proceedings of CRYPTO 86, one in a 
series of annual conferences devoted to cryptologic research. They 
have all been held at the University of California at Santa Barbara. 
The first conference in this series, CRYPTO 81, organized by A. 
Gersho, did not have a formal proceedings. The proceedings of the 
following four conferences in this series have been published as: 



Advances in Cryptology: Proceedings of Crypto 82, D. 
Chaum, R. L. Rivest, and A. T. Sherman, eds., 
Plenum, 1983. 



Advances in Cryptology: Proceedings of Crypto 83, D. 
Chaum, ed., Plenum, 1984. 

Advances in Cryptology: Proceedings of CRYPTO 84, G. 
R. Blakley and D. Chaum, eds., Lecture Notes in 
Computer Science #196, Springer, 1985. 

Advances in Cryptology - CRYPTO '85 Proceedings, H. 
C. Williams, ed., Lecture Notes in Computer Science 
#218, Springer, 1986. 



A parallel series of conferences is held annually in Europe. 
The first of these had its proceedings published as 



Cryptography: Proceedings, Burg Feuerstein 1982, T. 
Beth, ed., Lecture Notes in Computer Science #149, 
Springer, 1983. 



Eurocrypt 83, held in March of 1983 in Udine, Italy, and Eurocrypt 86, 
held in May of 1986 in Linkoping, Sweden, did not have formal 
proceedings, while the '84 and '85 conference proceedings have 
appeared as 



Advances in Cryptology: Proceedings of EUROCRYPT 84, 
T. Beth, N. Cot, and I. Ingemarsson, eds., Lecture 
Notes in Computer Science #209, Springer, 1985. 



VI 



Advances in Cryptology - EUROCRYPT '85, F. Pichler, 
ed., Lecture Notes in Computer Science #219, Springer, 
1986. 

Papers in this volume are presented in seven sections 
containing most of the papers presented in the regular program, and a 
final section based on some of the informal presentations at the "Rump 
Session" organized by W. Diffie. Several of the regular papers 
presented at the conference are not included in this volume. There was 
a special session on integer factorization, and the three papers in that 
section will be published in journals: 

C. Pomerance, J. W. Smith, and R. Tuler, A pipeline 
architecture for factoring large integers with the 
quadratic sieve algorithm, SIAM J. Comp. (to appear). 

T. R. Caron and R. D. Silverman, Parallel 
implementation of the quadratic sieve, J. 
Supercomputing (to appear). 

M. C. Wunderlich and H. C. Williams, A parallel 
version of the continued fraction integer factoring 
algorithms, J. Supercomputing (to appear). 

Also, the paper 

J. G. Osborn and J. R. Everhart, A large community 
key distribution protocol, 

was not revised in time for publication. 

It is my pleasure to thank all those who make these 
proceedings possible: the authors, organizers, and all the attendees. 
Special thanks are due to M. Janssen, Y. Cohen, and the Springer staff 
for their help in the production of this volume. 



Murray Hill, New Jersey 



Andrew M. Odlyzko 
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ABSTRACT 

The S-boxes used in the DES are the major cryptographic component of the system. Any 
structure which they possess can have far reaching implications for the security of the algo- 
rithm. Structure may exist as a result of design principles intended to strengthen security. 
Structure could also exist as a "trapdoor" for breaking the system. This paper examines some 
properties which the 5-boxes satisfy and attempts to determine a reason for such structure to 
exist. 

INTRODUCTION 

The DES (Data Encryption Standard) was certified by the NBS in 1975 [NBSl]. A com- 
plete description of the DES can also be found in either [D] or [Kj. The major nonlinear com- 
ponent of the DES is a function / that involves the S-boxes. / is a function that takes as 
input 32 bits of partially enciphered message and 48 bits of key and produces 32 bits of par- 
tially enciphered message as output. / uses eight S-boxes. Each S-box is a function from 6 
bits into 4 bits. To be more precise, let a = (<t 1 ...a 32 ) be 32 bits of partially enciphered mes- 
sage and let k = (^...^g) be 48 bits of key. Then to form / [a,k), a is expanded to a 48 bit b 
by duplicating the bits that have an index that is 0 or 1 mod 4 in the following manner. Let 

b = (6[...6 4g ) = (a 32 a 1 a 2 a 3 a i a s a i a i a 6 a 7 a a a i a i a 9 ...a 2S a 2 ga 2s a 2g a 30 a 31 a 32 a l ). 

Let c, = for Kt <48. (-f will refer to addition mod 2 throughout this paper.) Let 

c =(e 1 ...c 48 ). c^i-ij^i-'-Cefi-iJ+s w '" De the ^ input bits into the t'th S-box. Let 
<'4(i-i)+i---''4(i-i)-M be the output bits from the t'th S-box. Let d = [d 1 ...d 32 ). Then 
/(a,fc) = d. 

"Tflii work performed at S Midi a Nation*! Laboratories supported by the U.S. Department of Energy under con- 
tract number DE-AC04-76DPQOT89. 

"This work performed while the author <*as visiting Bell Communications Research 

A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPTO '86, LNCS 263, pp. 3-8, 1987. 
© Springer- Verlag Berlin Heidelberg 1987 
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The eight S-boxes used in the DES are listed in Table 1. Each S-box, S,, is described by a 
matrix, A/,, with 4 rows and 16 columns. Then ^(c^.^j) = M s {e l e % ,c 2 c i c A c-^). It is clear 
from examining the S-boxes in Table 1 that each row of an S-box is a permutation of the 
integers 0 to 15. We will list this as property PO of the S-boxes. 

PO. Each row of an S-box is a permutation of the integers 0 to 15. 

There have also been other properties found [K|,[L|,[S] that the S-boxes satisfy that would 
not likely be satisfied if the boxes were chosen randomly. We want to study these properties to 
see if some of them are related. The purpose of this paper is to attempt to find a minimal set 
of properties satisfied by the S-boxes. That is, a set of properties such that if we generate ran- 
dom boxes designed to satisfy these properties, then these boxes will satisfy all of the unusual 
properties of the S-boxes that we have been able to find. 

S-BOX DESIGN PRINCIPLES 

We would like to know what properties the S-boxes were designed to satisfy. This infor- 
mation has never been published and if fact, the only source for specific "design principles" 
appears to be responses from the NSA to a study of the DES made by the Lexar Corporation 
(Lj. These were included in the report of the second workshop on the DES held by the NBS in 
1976 [BGK]. In their comments, the NSA labelled the following as "design criteria" for the S- 
boxes. 

Pi. No S-box is a linear or affine function of the input. 

P2. Changing 1 input bit to an S-box results in changing at least 2 output bits. 
P3. S(x) and S(i + 001100) must differ in at least 2 bits. 

The following were labelled by the NSA as "caused by design criteria." 
P4. S{x) # S(i + ll£F0O) for any choice of t and /. 

P5. The S boxes were chosen to minimize the difference between the number of l's and O's in 
any S-box output when any single input bit is held constant. 

In this paper, an attempt is made to link any structure found in the S-boxes to these 
design principles. A basic tool used in this study was the generation of new boxes designed to 
meet a subset of these properties, but chosen randomly subject to the constraints imposed by 
the properties. These new boxes were compared with the DES S-boxes in order to identify 
further structure. 

RELATION BETWEEN PROPERTIES 

When we generated boxes satisfying PO, P2, and P3, we found that P5 also held. Po can 
be stated in a more obvious manner. For an S-box S, let p,S be the projection of S onto the 
i'th output bit. i.e. if S(r) = (d 1 d 2 d 3 d i ), then p,S(x) = d,. Since each row of the S-box is a 
permutation, the list of p,S(i) over all 6 bit inputs, x, will contain exactly 32 l's and 32 O's. 
Consider the same list with one of the input bits fixed. For example, consider the list over all 
6 bit inputs x = x l ...x t such that i, =0. If i = 1 or 6, then the list will contain exactly 16 l's 
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and 16 O's. If » = 2,3,4, or 5, the list will not necessarily contain the same number of l's and 
O's. P5 states that the S-boxes were chosen to minimize this difference between the number of 
l's and O's. In Table 2, we tabulated the number of 1's in each of the lists Pj 5, (i) where i 
ranges over all 6 bit inputs satisfying x k =>0 for 2<k<5, l<i<8, 0<j<3. If the S-boxes 
satisfied only the row permutation property, then we would expect the distribution of the 
number of l's to look like the distribution in Table 3. Table 4 contains the distribution of 100 
boxes generated to satisfy only PO, P2, and P3. The similarity with Table 2 is apparent. 

Given an S-box S, we can define R i to be the permutation defined by the i'th row of S. 
Each row of an S-box is a Boolean vector function from 4 input bits to 4 output bits. Each 
such output bit can be viewed as a function of the 4 input bits and each input bit can be 
viewed as a function of the 4 output bits. These 256 functions belong to the set F of all 
Boolean functions from 4 bits to 1 bit having the property that exactly 8 inputs are mapped to 
0 and 8 are mapped to 1. Define an equivalence relation on / by / ~~g if there is a function a 
which is a permutation on 4 elements and also allows for complementation of those elements, so 
that / a = g or / a = g. The elements of F fall into 58 equivalence classes under this rela- 
tion. However, the subset F, of F used in the rows of the S-boxes, fall into only 22 of these 
classes. 

In the boxes we generated satisfying PO, P2, P3, and P4, there were two classes of func- 
tions that frequently appeared that were not in F,. One class contained the function 
f(w,x,y,z) = w+x+y+z. The other class contained the function g(w,x,y,z) = w+z+y. It is 
possible that these two classes were prohibited in the S-boxes because of property 1. We then 
generated new boxes which did not contain these two classes of functions. The distribution of 
classes of functions in F used in these new boxes was found to be similar to that of the DES 
S-boxes. Thus we define property Pi'. 

Pi'. None of the four bit to one bit functions used in a row of an S-box is equivalent to the 
sum of four bits or to the sum of three bits. 

We now return to the function / defined in the introduction. If a vector K of 48 bits is 
fixed, then } \ K is a function from 32 bits to 32 bits. (/ ljf(a) = f(a,K).) However, / 1^- is not 
one-to-one or onto, so an investigation of the image of / \ K was initiated. A set X of one 
thousand 32-bit vectors was randomly generated and for several different key vectors K, the 
integers l{y:/ljr(y) = x}\ were calculated for each xeX. For the S-boxes, for all keys tested, 
about 1/2 of the elements of X had exactly one pre-image and about 1/3 of them were not in 
the image set. However, these two statistics were reversed in boxes that satisfied only PO, Pi', 
P2, and P3. Since it seems desirable to make the image set as large as possible, it appears that 
this shift in the distribution may be due to some design principle. 

This characteristic of the image set appears to be caused by property P4. Random boxes 
were generated which satisfied properties PO, Pi', P2, P3, and also P4. The tabulation of 
l{y:/i^(y) = z}l was then repeated for these boxes. The distribution obtained from these new 
boxes was not significantly different from that of the DES S-boxes. 

The relationship between property 4 and the image set becomes clearer with a deeper look 
at the implications of property 4. To be precise, some notation is required. For a 32-bit vector 
X, let S, (X) denote the 5-bits of X used in the input to the i-th S-box. Also, S, and S ; will be 
called consecutive if li— j \ = 1 or if = {l,8}. Using property 4 and the expansion operator, 

the followinz result can be proven. 
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Theorem 1 

If X and Y are 32-bit vectors for which f ^k{X) = f \ K (Y), for some key K, then 
S,(X) # Sj(Y) for at least 3 consecutive S,'s and the Hamming distance between X and y is 
at least 4. 

Without property 4, the smallest distance between such an X and Y would be 2 and 
■would involve differences in only 2 consecutive S;'s. Thus property 4 tends to make the possi- 
bility that two different inputs would be mapped onto the same output less likely. This both 
links the property to the shift in the distribution and appears to be a desirable cryptographic 
result. 

At Crypto'85, Shamir [Sj presented a paper in which he pointed out some unusual patterns 
in the S-boxes and questioned why such patterns exist. In particular, if the 6-bit input to an 
S-box is labelled as ABCDEF , then these patterns demonstrated an extremely high correlation 
between even hamming weight outputs and either B = 0 or B = 1. The boxes that we gen- 
erated that satisfied PO - P4 also tended to exhibit the same patterns, although the correlations 
were not as strong. This does indicate that the probabilities given in Shamir's talk do not 
fairly evaluate the chances of these patterns occurring, since the acknowledged design criteria 
seem to make them likely to exist. 

CONCLUSION 

All of the structure of the S-boxes that we have described appears to be the result of 
design principles. The question that remains is whether this is a complete list of the design 
principles used in creating the S-boxes. This question could be answered in the negative if 
further structure was discovered in the S-boxes that did not occur in the boxes created using 
these design principles. 
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Table 2 : Property P5 



distribution of number of l's in output with 1 input bit fixed 



Cycle Structure of the DES tilth Weak and Seal-Weak Keys* 



Judy H. Moore and Gustavus J. Simmons 
Sandla National Laboratories 
Albuquerque, NM 87185 

As part of a report on cycling experiments with DES , Rivest 
[1] announced at Crypto '85 that a small cycle had been found when 

alternately encrypting with the all zeroes key and the all ones 

33 

key. This cycle contained approximately 2 points. Later in the 
same meeting, Coppersmith [2] explained this phenomenon by noting 
that If a fixed point occurred in the cycle, since with these keys 
encryption is the same as decryption, the successive encryptions 
would actually be decryptions and would retrace the steps to the 
starting point. We can picture this as follows: 




where x is the starting point, y is the fixed point and K and K 

32 

represent the keys used. He also argued that since there are 2 
such fixed points for each of these keys, the apparently small 
size of the cycle reported was not actually surprising. Intrigued 
by these observations, we began an in-depth study of the cycle 
structure of DES using weak and semi-weak keys. The results 
presented in this paper outline the current status of that study. 
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Notation 

A complete description of the DES algorithm will not be given 
hare, but since we will use a nonstandard notation. Introduced by 
Grossman and Tuckerman [3], we begin with the specifics of that 
notation. Omitting the initial and final permutations, the DES 
transformation can be viewed as a sequence of 32-bit vectors 

W m 2 a l6' B 17 

defined recursively by 

a i+l ' B i-1 9 f < K i' n i> 

where K i is the 1 th round key and f is the nonlinear DES function 
described in the original FIPS Publication *6 [4]. The concatena- 
tion , Bq 81 ^ represents the 64-bit input after the Initial per- 
mutation, while m,_m ie represents the output before the inverse of 

IT ID 

that permutation. This notation is much better suited to our 
purposes than the original description of the DES. For all of the 
work reported in this paper, the initial and final permutations 
are irrelevant, so we will routinely omit tham. 

Some details of the nonlinear function f are required for our 
discussion. The function takes as input a 32-bit vector X and 
expands it to a 48-bit vector E(X) . The 48-bit round key is 
then exclusive-ored with E(X). The resulting vector is used as 
input to the S-boxes , yielding a 32-bit vector. The output of f 
is a permuted form of this 32-bit vector. This process is shown 
in the following figure. 
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Figure l. 

The descriptions of E,P and the S-boxes can be found In PIPS 
Publication 46 [4]. The complete OES encryption of a 64-bit 
vector Y with a key K will be denoted in this paper by E(K,Y) , 
while decryption with with K will be denoted by D(K,Y). 



The Keys 



We begin with a review of what is known about the weak and 
semi-weak keys. Oavies [5] and Jueneman [6] have studied the 
structure of these keys and some of the results have also appeared 
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In PIPS Publication 74 [7]. The approach in this paper basically 
follows that of Moore and Simmons [8]. 

The keys used in this study fall into two classes. The first 
class, the weak keys, consists of four keys distinguished by the 
fact that all 16 round keys are the same. This means that 
decryption is identical to encryption since reversing the calling 
sequence for the round keys has no effect. 

The second class consists of the semi-weak keys. A key K is 
a semi -weak key if there exists another key K so that the round 
keys for these keys satisfy K* * K 17 _j for 0 < i < 17. This 
property has the effect of providing "Inverse keys" in the sense 
that decryption with K is the same as encryption with K . 

The following theorem verifies that the weak and semi-weak 
keys are the only such keys having this kind of Inverse keys . 



Theorem 1 

A DES key K has an inverse key K satisfying 

* 

K i * K 17-i 

if and only if K is one of the 16 keys in which all 14 of the bits 
in each of the four subsets A, B, C, and D of K listed below are 
alike. 



A 


( 1 


2 


3 


17 


18 


19 


33 


34 


35 


36 


49 


50 


51 


52) 


B 


( 4 


5 


6 


7 


20 


21 


22 


23 


37 


38 


39 


53 


54 


55) 


C 


( 9 


10 


11 


25 


26 


27 


41 


42 


43 


44 


57 


56 


59 


60) 


D 


(12 


13 


14 


15 


28 


29 


30 


31 


45 


46 


47 


61 


62 


63) 



Proof : 

The proof 
round keys . I 



is a tedious but straightforward bit tracing of the 
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The sets A, B, C, and D in the previous theorem also give 
rise to a labeling technique for the keys used in this study. 
This label consists of a four-bit number, the most significant bit 
of which Identifies the value for the bits in set A. The next 
bits identify the values for sets B, C and D. For example, K(3) 
is the key in which the bits in sets A and B are zero and the bits 
in sets C and D are one since the binary representation of 3 is 
0011. That Is, 

K(3) « 0000000(1) 1111111(0) 0000000(1) 1111111(0) 
0000000(1) 1111111(0) 0000000(1) 1111111(0) 

The bits in parentheses are the parity bits and are set by 
the rule that each byte must have odd parity. The 16 keys 
mentioned in the previous theorem are listed below using this 
notation with their corresponding Inverse keys Identified. 

K 0 1 2 3 4 S 6 7 8 9 10 11 12 13 14 15 
K* 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 

The following easy lemma is a consequence of the fact that 
the expansion operator E is a homomorphism. 

Lemma 2 

For any 32-bit vectors U and M, and any 48-bit vector K, 

f (K,M) - f (K • E(U) , M fi 0) . 

Proof : 

f(K • E(U), M » 0) - K • E(U) • E(M • C) 

» K • E(U) • E(M) • E(0) 

- K • E(M) 

- f (K.M) . I 



14 



The argument used to count the number of fixed points of a 
weak key can be captured in a more general statement in the next 
theorem . 



Theorem 3 

Suppose that for some key K, the round keys satisfy 

K i * K 17-i * E(U) ' 

where E(U) is the 48-bit expansion of some 32-bit vector D. Then 
the following are equivalent: 



1) » 8 • m g « U, 



2) m i • n 171 - U, for 0 < i < 17 , 



3) m 0 • m 17 " 0 and • m 16 » 0 



Proof : 

First note that 2) ■> 3} and 2) ■> 1) are obvious. From the 
definition of m^ and m^ j + j ' we have 

B j * B 17-J " B J-2 • f < K J-1'»J-1> + B 17-j + 2 • '^n-j + l-'lT-J + l' 



For 3) •> 2) the above equation yields 



15 



B 2 * B 15 " B 0 * B 17 * • f < K : • E(U). Bl • O) 

" B 0 * B 17 
- D 

Then if we assume that for all J < 1, • B 17 _j * U, then (*) 
above can be used to show that • » 17 _ i " 0- Thus by induction 
2) is established. 

For 1) -> 2) we have 

a 10 • m 7 - m 9 • m 8 • f(K g , m g ) • f(K g • E(U), m g • 0) - U . 

The induction argument used above applies again to complete the 
proof . I 

For the all zeroes or the all ones key, the hypothesis of 

Theorem 3 is satisfied for U equal to the all zeroes vector. 

Hence, fixed points for these keys coincide with those messages in 

32 

which m_ = m. during the encryption process. Since there are 2 

32 

such possible equations, there are precisely 2 fixed points for 
each key. 

This theorem appears to be quite powerful, so the next issue 
is the identification of those keys which satisfy the hypothesis 
of the theorem. 



Theorem * 

If for some key K, the round keys satisfy 



K i * K 17-i " E(U) 
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where 0 is the 48 bit expansion of some 32 bit vector U, then U 
Is either the all zeroes or the all ones vector. 

Proof : 

The proof Is again rather tedious and we refer the reader to 
[S] for its details. I 

This theorem states that the only keys satisfying the hypoth- 
esis of Theorem 3 are those in which the round Iceys either form a 
palindromic sequence: 

K l ' K 17-i ' ° r 
an antipalindromic sequence 

K i ' *17-i 

The following theorem connects these conditions with the weak and 
•em 1 -weak keys. 

Theorem 5 

A DES key K has a palindromic round key sequence or an 
antlpallndromic round key sequence if and only if K is one of 
K(0), K(5), K(10) or K(15) in the first case or one of K(3). K(6). 
K(9) or K(12) in the second case. 

Proof : See [8]. 

To end this section, we give a theorem which will be useful 
in studying the cycles structure of weak and semi-weak keys. One 
definition is required first. A point x is an antifixed point of 
a key X if E(K,x) - x. I 
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Theorem 6 

For each of the keys with a palindromic round key sequence 
3 2 

there are precisely 2 fixed points and for each of the keys with 

32 

an antipalindromic round key sequence there are precisely 2 
ant i fixed points. 



Proof : 

The fixed point argument was given earlier. For the anti- 
fixed point argument, the keys with an antipalindromic round key 
sequence satisfy Theorem 3 with U being the all ones vector. 
Hence the antifixed points for these keys will coincide with those 

messages in which m « m. during the encryption process. Since 

32 32 
there are 2 such possible equations, there are 2 possible 

antifixed points for each such key. I 



The DBS Engines 

Two special-purpose hardware devices were designed and built 
at Sandia as part of this study. These devices will be referred 
to in this paper as the DES Engine and the Micro DES Engine. 

The DES Engine was designed to perform several types of cycle 
testing. It consists of 16 identical PC boards, each running a 
DES chip, the AM 9568, at high speed without changing keys. An 
IBM PC is used to provide communication with the user and to count 
the number of encryptions performed. 

There are two basic modes of operation for this machine. In 
the first mode, each board performs a cycle test experiment using 
its preset key, independently of all other boards. In the second 
mode, the boards are paired so that cycle testing using alternat- 
ing keys may be performed. The output of one board in the pair is 
used as the input to the other board. By this means, the pair can 
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perform an experiment with alternating keys, while each DES chip 
keeps Its preset key unchanged. 

Without describing the hardware In detail, the rudiments of 
Its operation will be discussed. As part of the initialization of 
an experiment, several variables are set. These Include a key. 
two starting points, SA and SB, and two other values, HA and HB, 
called "hit values". During the first step of the counter, SA Is 
encrypted with the set key and compared to HA. If there is a 
match, the machine stops to report this result. It also stops if 
the encrypted value of SA is the same as SA, I.e., a fixed point 
has been found, or if a specified number of steps have been taken. 
The encrypted value of SA then is stored in the place of SA. 
During the next step of the counter, SB is encrypted with the 
preset key and compared to HB. The stop conditions described 
above are checked and, if not met, the encrypted value of SB 
replaces the original SB. This process continues until a condi- 
tion for a machine halt is met or the operator Intervenes. The 

32 

machine will complete about 2 encryptions per cycle per day. 

The Micro DES Engine Is a very specialized piece of hardware 
which was designed to take advantage of the internal structure of 
DES to find specific examples. In order to explain its operation, 
we need some notation. Suppose we are given two keys, Kl and K2 , 
and two 32 bit vectors, m Q and . Let M be the concatenation of 
m Q and m . To compute E ( E( M , Kl ) , K2 ) we would calculate 

m 1+1 »= m 1 _ 1 • f(m 1 ,Kl i ) for 0 < i < 17 . 

Then letting n Q - m 1? and nj - « 16 > *»e would calculate 

n J+1 - n 1 _ 1 • f(n 1 ,K2 i ) for 0 < 1 < 17 . 

The resulting concatenation of n,_ and n,_ would be the result. 
The Micro DES Engine allows us to specify two keys, two integers, 
i and j, and two 32 bit vectors U and V. It then allows m. to 
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assume all 2 possible values. For each such value, lB 8et 

to • U. Proceeding through the rounds of DES using the one of 
the keys, « 1+2 ,..., m 17 are calculated. Now setting n Q ■ a J7 and 

» b 16> the engine calculates the rounds of DES using the second 
key until it has found n^ + 1 . If + 1 " n j • V ' the result 18 
reported before changing the value of m^. In other words, the 
Micro DES Engine starts at soae specified round of encryption with 
the first key and some linear relationship between adjacent terms 
of the sequence {m^} and stops at another specified round of 
encryption with the second key to check for another linear rela- 
tionship between adjacent terms of the sequence {n^}. There is a 
technical restriction that the combined number of rounds of DES in 

one of these steps cannot exceed 16. The complete experiment, 
32 

trying all 2 choices for n^, requires approximately 13 hours of 
operation. 

The Weak Key Cycle Structure 

Before proceeding with the details of the cycle structures 
for any of the keys, we need to make the observation that the 
complement of any cycle is also a cycle since 

E(K,x) «= E(ic,x) . 

This complementary cycle will also be called the dual cycle. 

We are now ready to consider the cycle structure for weak 
keys. Several important properties of the weak keys, which have 
already been discussed, will now come to bear on the cycle 
structure. These are: 

1. There are < weak keys K(0), K(5), K(10) and K(15), 

2. Each key is its own Inverse, 

3. Each key has 2 32 fixed points. 
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Since each key is its own inverse, a cycle of repeated 
encryptions with a weak key will either consist of one point, a 
fixed point for that key, or two points. These cycles, of course, 
are rather trivial. 

However, alternately encrypting with a weak key and Its com- 
plement has already produced some interesting results. We will 
call cycles of this type Coppersmith cycles. To be specific, a 
Coppersmith cycle is a cycle obtained by alternately encrypting 
with a weak key and its complement in which a fixed point is 
eventually encountered. 

Since the complement of a cycle Is a cycle, Coppersmith 
cycles could conceivably be self-dual or occur in isomorphic 
pairs. However, In [8], it was shown that only the latter case is 
possible. Hence, Coppersmith cycles can never contain both a 
point and its complement. 

The Coppersmith cycles traced thus far range in size from 1 
point to 12,605,533 points. Those cycles with one point are the 
"degenerate" Coppersmith cycles and were found with the use of the 
Micro DES Engine. 

To find a one point Coppersmith cycle, we must find a point 
which Is fixed by both a weak key X and its complementary key K . 
Pictorially this cycle will be 




Hence, we initialize the Micro DES Engine with these keys, K and 
K , set 1 and J equal to 8, and let D and V be the all zero vec- 
tors. The engine will then produce a list of all possible values 
for m B , so that m 8 - m g in the encryption with K and Hg « n g In 
the encryption with K . From this we can produce a list of all 
fixed points of K which are also fixed points of K . There is 
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exactly one degenerate pair of complementary cycles for the key 
pair K(0), K(15) and one for the key pair K(5), K(10). These are 

x » 74080FA36E793E74(Hex) 

and x fixed by K(0) and K(15) and 

y - 1BDAFF22E4BDDA52 (Hex) 

and y fixed by K(5) and K(10). 

Excluding these degenerate cases, the remaining Coppersmith 
cycles traced thus far range in size from 12,605,533 points 
(» 2 23-6 ) to 26,717,619,870 points {« 2 34,6 ). We have traced 174 
such cycles and find that these appear to end in fixed point 
cycles on the same key or on different keys with equal probabil- 
ity. We give one example in each case: 

x - AlE1751167FED858(Hex) fixed by K(15) 

and 

y = 07CDA64B52C48D2F(Hex) fixed by K(0) 
with a cycle length of 12,605,633 points (s 2 23 ' 6 ) and 

X ■= 0A60B8BCFB7F4116(Hex) fixed by K(15) 

and 

y « C4D9A9A9EDC09B8C(Hex) fixed by K(15) 

with a cycle length of 158,461,212 points (= 2 27 ' 2 ). 

The process of alternately encrypting with a weak and a semi- 
weak key may never encounter a fixed point. Cycles of this type 
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type will be called non-Coppersmith. These seem to naturally 
divide into two classes depending upon whether or not a point and 
its complement occur in the same cycle. The cycle containing a 
point x and the cycle containing x , which nay be disjoint, have 
the local structure 



and 




since E(K,x) » eTkTxT *= v, etc. Analysis of the structure of such 
cycles leads to the discovery that non-Coppersmith cycles occur 
either as self -dual, centrally symmetric, cycles of the form 



u 




u 
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or as isomorphic pairs of the form. 



u 



u 



o 



V 




The central symmetry of both keys and points on the self -dual non- 
Coppersmith cycles means that the size of such a cycle must be 
congruent to 2 mod 4. The details of these theoretical results 
are in [ 8 ] . 

However, in an extensive computer search, no instance of 

either of these types of non-Coppersmith cycles has been found. 

3 2 64 
Since there are exactly 2 Coppersmith cycles and 2 points in 

all, a reliable estimate of the size of Coppersmith cycles could 
be used to infer the likelihood of the existence of non- 
Coppersmith cycles. The best that can be said based on the 174 
known cycles is that with a confidence of 99.9k, the fraction of 
the points in Coppersmith cycles is at least 96*. In other words, 
if 96* or fewer of the points are actually in Coppersmith cycles, 
174 random selections would all be in Coppersmith cycles only one 
time in a thousand. This type of statistical argument can never 
prove the non-existence of non-Coppersmith cycles, but it can (as 
the number of unsuccessful tries increases) quantify the futility 
of continuing to search for them by a brute force random selection 
of starting points. If these exist, degenerate forms are also 
possible and would have the following structures: 
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Degenerate self-dual non-Coppersmith 



x 




X 



Complementary pair of degenerate non-Coppersmith 



X X 




y y 



Unfortunately, we have no easy way to find these degenerate cases, 
if they exist, so producing one appears to be a 2 6 * search 
problem . 

The final variety of cycle for the weak keys which we will 
consider consists of those obtained by alternate encryptions with 
any two weak keys. Obviously the cycles already discussed are 
special cases of these, in which the two keys are actually the 
same or one is the complement of the other. However, the 
remaining pairings give rise to some new cycle structures. 

In this new setting, a cycle very much like the Coppersmith 
cycle is encountered in that it has a fixed point at either end of 
a chain of beads as in the Coppersmith cycles. However, there is 
no reason to believe that such a cycle would not contain both a 
point and its complement. Therefore, these new cycles have an 
extra possible class to consider. Of course, just as for the 
alternation of a weak key and it complement, a cycle alternating 
between any two weak keys might never encounter a fixed point . 
Thus structures corresponding to the non-Coppersmith cycles above 
appear to be possible. At this time, no results are available 
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except for those degenerate cases which could be found with the 
Micro DES Engine. No points were found which were fixed 
simultaneously by K(0) and K(10), however two points were found 
for K(0) and K(5). Hence, we obtain two degenerate pairs of 
complementary cycles, for this key pair, of the form: 




If we consider the cycles in which fixed points are 
encountered and in which both a point and its complement are 
found, the degenerate case would be of the form: 




This is not possible since we would have to find a point x for 
which E(K,x) » x and E(K,x) « x. The last equation requires that 
E(K,x)« x so that x would have to be a point fixed by K and its 
complement K. The complete list of such points is available and 
for each such point x and each choice of a weak key K ' , we have 
verified that E{K',x) »» x. 

The cycles in which a fixed point does not occur seem to once 
again require the solution of a 2 search problem to locate 
degenerate cases, so that no such cycles have been produced. 
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The Seal -weak Keys 

The semi-weak keys will be considered in two stages. There 
are four Iceys which have an antlpalindroaic sequence of round 
keys, as was discussed earlier. The remaining eight semi -weak 
keys have a different structure for their round keys. The 
discussion of these keys will be delayed until later in this 
section. 

We begin by summarizing the properties, which were developed 
In the previous sections, of the keys with an antipalindromic 
sequence of round keys . 

1) There are 4 of these keys K(3), K(6), K(9) and K(12). 

2) The complement of one of these keys is its inverse key. 

3) Each key has 2 32 antifixed points. 

Once again two cases seem to occur. A cycle which contains a 
point x may either contain its complementary point x or not. We 
will consider the first case now. 

Suppose that x is an antifixed point of a key K. Thus x and 

x ait the cycle for K, but because E[K,x) = £<K,x), these 
points are also in the cycle for K. Schematically, we have 
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Now consider the points a = E(K,x) and b * E(K,x). Notice that 



b « E(K,x) « E(K,x) ■ a. Also, since K is the inverse key for K, 
we have that c - D(K,x) - E(K,x) - b « a. Hence the structure 
shown In the last diagram can be replaced by 




By repeating this argument, we see that the points in the cycle 
all occur as complementary points with une of the antifixed point 
pairs at each of the antipodal points as shown in the following 
diagram. 



K 




Of course, this means that these cycles are self-dual and have 
diametrical symmetry, i.e., every point, u, in the cycle is 
reflected in the diameter drawn through the centers of the 
antipodal antifixed point pairs into its complement, u. Since 
each of these cycles must have precisely two antifixed point pairs 
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3 2 

In it and there are precisely 2 such points for each key, there 
are exactly 2 such cycles for each of the pairings of these 
semi -weak: keys. 

An example of a cycle of this type using K « K(3), has as the 
antipodal ant 1 fixed points: 

x = 9EDB66CF776212B8(Hex) 
y » 4B659E4C304032BF(Hex) 

The cycle has a length of 6,236,877,706 = 2 32 ' 5 . 

We have not traced sufficiently many cycles of this type to 

permit a reliable estimate of the expected cycle size. It would 

32 

appear to be in the vicinity of 2 , which, since there are only 
31 

2 such cycles in all, would suggest that only half of the total 
number of points are in these self-dual (under complementation) 
cycles . 

The other cycles for these keys must occur in complementary 
pairs. The form of these pairs of cycles is pictured below. 



u u 




An example of a complementary pair of such cycles using 
K « K(3) are those on x and x where 

X - 51F25587495909A5(Hex) 

which has a cycle length of 6,671,292,514 = 2 32-6 . 

Given that both types of cycles occur for the semi-weak keys, 
i.e., self-dual and isomorphic pairs of cycles, an intriguing 
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question is whether degenerate cycles exist or not. A degenerate 
•elf-dual cycle would be of the form 



X 




X 



while a degenerate isomorphic pair would be of the form 




The Micro DES Engine allows us to answer the first half of the 
question. By letting the two keys be a complementary pair of the 
keys with ant i palindromic round key sequences, choosing 1 » J = 6 , 
and letting U and V be the all ones vectors, the set of all points 
which are anti fixed by both of the chosen keys can be found. 
After trying all possible key pairs, we found that there is 
exactly one degenerate cycle for the key pair K(3), K(12) and one 
for the pair K(6), K(9) . These are 

x = 2046CAC677DCA40F(Hex) 

for K(6) and K(9) and 

X - 5A77FF65EC179215(Hex) 

for K(3) and K(12). Unfortunately, Theorem 3 does not (so far as 
we can see) provide a means to reduce the 2 search for degener- 
ate isomorphic pairs. We therefore do not know how many, if any, 
degenerate cycles of this type exist for the semi-weak keys. 
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We will now turn our attention to the remaining seal-weak 
keys. Listed below are the facts known about these keys: 

1) There are 8 such keys, 

2) The Inverse of any key In the set Is also In the 9et , 

3) The complement of any key In the set is also in the set. 

The round keys for a key K In this collection satisfy 



where V Is either the vector consisting of 24 ones followed by 24 
zeroes or the vector consisting of 24 zeroes followed by 24 ones. 
Of course, the round keys do not satisfy the hypothesis of Theorem 
3, since V j* E(U) for any 32 bit vector U. 

At this time, we do not know about the cycle structure for 
these keys, but some intriguing experiments have been completed on 
the Micro DES Engine. We offer a few of them here simply as tan- 
talizing bits of information. For the description of these 
experiments, let o be the vector of 16 zeroes followed by 16 
ones; D 2 be the vector of 32 zeroes; and U 3 be the vector of 32 
ones. 

The first experiment used the key K(4) In both key positions 
of the Micro DES Engine and the values of 1 and j were both set to 
8. There were three stages to this experiment and In each stage U 
and V were set to be equal. When the value of U was set to the 
engine found 2 values for m 8 and when U ■ U , the engine found 1 
value for n g . However, none were found when U was equal to U g . 
Plctorlally we have 




17-1 



■ V 



m 



8 



iti 



9 



n 



8 



n 



9 




y 



X 



z 
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where the arrows from y to x and from x to z show encryption with 
key K(4) . The points marked along the arrow show the middle step 
In the rounds, that is, the position of m 8> m g and n e> n g . The 
results of the experiment show that there exists a value for y in 
this diagram for which m D 9 m_ • U * n„ 9 n a when U is equal to 

o 9 e 9 

D 1 or U g but not when 0 ■ U 2 . 

A similar experiment was performed with K(4) and K(ll) as the 
keys in the Micro DES Engine. We found that a value for y existed 

for which m s * E 9 " U * n 8 9 n 9 when U 18 ec T lial to a j or a 2 but 
not when U « U 3 . 

Perhaps these strange results will point to new directions in 
this study of cycles of cycles for these semi-weak keys. 

Kew Directions 

The results reported here are part of a study which is not 
yet complete. We will continue to collect statistics on the 
cycles obtained by alternate encryptions using two weak keys and 
also on the cycles using semi-weak keys which have antlpalindromic 
sequences of round keys. The remaining semi -weak keys seem to be 
an open area of discussion with many possible avenues to pursue. 
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1. INTRODUCTION 

McEliece introduced a public-key cryptosystem based on algebraic coding 
theory using t-error correcting Goppa codes [McEliece '78]. But McEliece 
Public-key Cryptosystem (MPBC) requires large block lengths with capabilities 
to correct large number of errors (n »s 1000 bits, t as 50 bits) to be effective. 
This involves very large computational (encryption and decryption) overhead 
to be practical in computer communications. 

Private-key Algebraic-coded Cryptosystems (PRAC) were suggested by 
Rao [Rao *84b] using the same techniques as MPBC but keep the public gen- 
erator matrix as private. PRAC provides better security with simpler error 
correcting codes, hence, requires relatively low computational overhead. Howev- 
er, we show that PRAC can be broken easily by a chosen-plaintext attack. 
Both MPBC and PRAC are classified as Algebraic-Coded Cryptosystems 
(ACC) here. 

This paper introduces a new approach to PRAC, which requires simple 
error correcting codes (i.e. distance 3 codes) and also provides much higher 
security level. 

1.1. McEliece Public-key Cryptosystems (MPBC) 
Encryption 

Let G be a t-error correcting k*n generator matrix of a linear code over 

GF(2) capable of t-error correction. The rate of the code is — . We can 

n 

select a random k*k nonsingular matrix S called scrambler and a random n*n 
permutation matrix P. Having G, S and P, we can compute the public gen- 
erator matrix G' such that G' = SGP, which is combinatorially equivalent to 
G. 

Then the encryption is done by: 
C = MG' + Z 
where C : ciphertext of length n, 
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M : plaintext message of length k, 
Z : random error vector of length n with weight t. 
Note that the vectors are italic lettered, and weight means Hamming weight. 



Decryption 

The decryption is very straight forward. 
From the encryption equation 
G' = SGP 
C = MG' + Z 
= A/SGP + Z 

— M' GP + Z where M' = MS 

Hence, we can recover M as given by the following steps. 

Step 1 compute C : 

C< = CP T = M' G + ZP T 

= M' G + Z' where Z' - ZP T 
(Note: Z' has same weight as Z since 

P and P T are permutation matrices) 

Step 2 Decoding and error correction: 
(Patterson Algorithm [MCEL 77]). 

Step 3 recover plaintext M: 
M = M' S" 1 



Cryptanalysis of MPBC 

As suggested by McEliece in his paper [McEliece '78], there could be two 
kinds of basic attacks for the cryptanalyst to try. 

(a) Factoring S, G and P from G' 

Since the number of codes which are combinatorially equivalent to a 
given code is astronomical, it is hopeless task to find out exact keys S, 
G and P used for G'. However, the cryptanalyst needs only some 
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Sj , Gj and Pj such that Sj G; Pi = G' and Gi is t-error correcting 
code. For the given G', the cryptanalyst can obtain Sj , G s andPj 
satisfying the equation Sj G s Pj = G', where G s is a generator in sys- 
tematic form. G s is obtained from G' by . elementary row operations 
(row canonical reduction) and column operations. G', G 3 and G are all 
said to be combinatorially equivalent. Where as G corresponds directly 
to a Goppa code which has well understood and well-known decoding 
algorithms, no such would be possible for G s . Trial and error manipu- 
lation to obtain a G s coinciding with an equivalent Alternant code 
generator would require an astronomically large work factor. 

(b) Recovering M from G directly without keys 

Another approach involves solving a set of k-unknowns from n simul- 
taneous equations for all possible Z values. 

Let M and C be a plaintext pair 

M = m i m 2 m 3 . . . 

C = C i C 2 C 3 . . . Ci ...c n 

Z = 2 ! Z 2 2 3 • • • Zk ■ ■ ■ Zn 

G' = [ G u ' 1 , i = 1, ... , k 
j = 1, ... , n 

(t-error correcting algebraic code) 

Then, for j= 1, ... , n 

ci = mxGn' +m 2 G 2 i' + . . . + Gk { +zi 
c 2 = miG\2 -Hm2G 2 2' +... + miG k2 ' +^2 

c„ = m iG ln ' -(- m 2 G 2n ' + . . . + m k Gkn ' + z n 

To solve k unknowns (?n 1 ,m2, ■ • ■ , mk), k 3 operations are required 
because k equations are sufficient to solve the equations if the code 
is maximal distance separable (MDS) code. Otherwise, at most 
k' = n-d+1 equations are required to solve for k-unknowns [Pless '82]. 



39 



Since t is smaller than n-k, it is possible that the cryptanalyst could 
select k equations containing no errors from n equations. Therefore, 
the cryptanalyst could repeat solving equations by selecting arbitrary k 
equations from n simultaneous equations with the assumption of no er- 
rors in selected equations until a meaningful plaintext is obtained. 

The probability of no errors in £ equations, P k is: 

and the average number of repetition is P k ~K 

Hence, the average work factor, T is: 
T = k 3 * P k - 1 

However, this does not include the work factor to check whether the 
plaintext M obtained by solving equations is correct (i.e., meaningful) 
or not. It is assumed that the plaintexts are from a source such as 
natural language or a programming language which contains an enor- 
mous amount of redundancy penning '82]. Redundancy in M helps to 
determine the validity of the plaintext derived. 

1.2. Private-key Algebraic-coded Cryptosystems (PRAC) 

To increase information rate and to reduce computational (encryption and 
decryption) overhead of MPBC, Private-key Algebraic-coded Cryptosystems 
(PRAC) were suggested [Rao '84b]. PRAC can provide better security with 
simpler error correcting codes, hence, require relatively low computational over- 
head compared to MPBC. 

PRAC keeps G' private as well as S, P and G to provide higher security 
level. A known-plaintext attack to PRAC is feasible by solving matrices for 
each column vector of G' independently but this method requires a very large 
set of known (M ,C) pairs. Hence, this attack can be foiled by periodic change 
or modification of the keys by the cryptographer. However, the analysis given 
below shows that PRAC still requires large t to be secure from a chosen- 
plaintext attack. 
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Chosen-Plaintext Attack 

The cryptanalyst is required to go through two steps. 
Step 1 : Solve for G' from a large set of (M,c) pairs. 

Step 2 : Determine M from C using G' obtained in Step 1 (same work fac- 
tor as in MPBC). 

It can be safely assumed that a chosen plaintext of the form M = (00 . . 
.010 . . .0) with only one 1 in i th position (for i = 1, . . . ,k) is not allowed 
by the cryptosystem. However, a chosen-plaintext attack may proceed as fol- 
lows. 

Let Mi and M 2 are two plaintext differing in one position only, that is, 
M t - M 2 = (00 . . . 010 . . . 0) 

i th position for i = 1, . . . ,k 

then, 

C t - C 3 = gi ' + {Z l - Z 2 ) (Eq. 1) 

where j,-' is the i th row vector of G'. 
The Hamming weight of (Z x - Z 2 ) is at most 2t. Since t is much smaller than 
n, the majority of the bits of the vector C, - C 2 correspond directly with <?,•' . 
We can let d - C 2 represent one estimate of </,•' . By repeating the step 
several times a number of estimates of y,-' can be obtained. From these esti- 
mates of <7,-' and by majority voting for each position, the vector can be 
correctly determined. This step repeated for all i = 1,2,. . . .k will give us G\ 
which can be used to break the code by step 2. This step 2 will require a re- 
latively small work factor because t is small. 

However, a chosen-plaintext attack of the above nature can succeed only when 
— is small and it will not if t ~ 2.. 

n O 
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2. MODIFIED CRYPTOSYSTEMS 

2.1. Introduction 

Our intent here is to obtain private-key cryptosystems using simple alge- 
braic codes such as Hamming codes or distance 5 BCH codes. Furthermore, 
we would still want the Z vector to have a weight t sufficiently large to pro- 
vide good security. By a clever design we will show that we could obtain t 

» —■ Obviously it would not be possible unless we change or modify the origi- 

it 

nal encryption method. 

Here we develop such a modification and show that it is indeed possible 
to use simple (i.e., short distance) algebraic codes for PRAC which are very 
secure from chosen-plaintext attacks. Clearly a system that is secure from such 
an attack is also secure from other attacks including known-plaintext attacks. 

2.2. Encryption of Modified PRAC 

This approach uses a minimum distance 3 code generator G (as an exam- 
ple) and uses specific error patterns for the random error vector Z of which 

the average Hamming weight is approximately y. Encryption method is 
modified as follow. 

Let G' = SG 

where S : k*k nonsingular matrix 

G : k*n distance 3 code generator matrix 
G': k*n encryption matrix 

Then 

C = (ATC + Z)P (Eq. 2) 

where M : plaintext of length k 
C : ciphertext of length n 
P : n*n permutation matrix 
Z : a random ATE (Method 1) 

or an entry of the Syndrome-error table (Method 2) 
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(Method 1 and 2 are described below.) 

Since the security of PRAC crucially depends on the weight of Z, the selec- 
tion of Z is very important. We introduce two kinds of error patterns. 

Method 1 : Use adjacent t errors for Z . 

Definition 1 : Adjacent t Errors (ATE) 

An ATE is a vector of length n with t (< y) adjacent errors, i.e., 

an ATE consists of n-t O's and t consecutive l's. ATE must not 
be a codeword. 

A random ATE can be used for Z. There exist exactly n-t+1 ATE's 
for the given n and t (and n ATE's for cyclic codes). 

Method 2 : Use of predetermined set of vectors (Syndrome-error table). 
A predetermined set of vectors consisting one from each coset of the 
standard array decoding table can be used for Z. Each coset has a 
distinct syndrome and there are exactly 2 n_k cosets [Blahut '83, Lin 
'83]. Therefore, we could select any set of vectors one from each of 
the 2 n_k cosets. The set is predetermined in the sense the decryptor 
knows the Syndrome-error table used for Z. Fig.l shows an example 
of standard array and Syndrome-error table. The vectors in the rec- 
tangular boxes are selected as Z - vectors. 



H 



Coset leader 



0 1110 0 
10 10 10 
110 0 0 1 



Syndrome 



000000 | 001110 010101 11000111 011011 101101 110110 111000 000 



000001 
000010 
000100 
001000 
010000 
100000 
001001 



101100 
101111 



001111 010100 100010 10110101 

001100 010111 100001 011001 

001010 010001 100111 011111 11010011 

000110 10111011 101011 010011 100101 
011110 000101 IllOOllI 001011 111101 
11011101 110101 000011 111011 001101 

000111 011100 101010 010010 100100 



110111 
11101001 
110010 
111110 
100110 
010110 

nun 



111001 
111010 
111100 
110000 
101000 
011000 011 
11100011 111 



001 
010 
100 
110 
101 



Fig. 1. Standard array for the (6, 3, 3) code 
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G' and P are secret encryption keys, and the Syndrome-error table is also 
secret in the Method 2. 

2.3. Decryption of Modified Cryptosystema 

From the encryption algorithm (Eq. 2) 
C = (AfC + Z)P 
= AfSGP + ZP 

= M' GP + ZP. [M< = MS) 

Decryption can be done using secret keys S" 1 , H T (GH T = 0) and P T 
through following steps. 

Step 1 Obtain C : 

C" = CP T = M' G + Z 

Step 2 : Find the error pattern and recover M' : 
C H T = M' GH T + ZU T 

= ZK r (Syndrome) 
Identify the error pattern. 

(use the Syndrome-error table look-up for the Method 2). 
Recover M' by correcting for the error pattern. 

Step 3 Recover plaintext M: 
M = M' S _1 

Note : It appears that this approach requires long keys (S, P, G and the 
Syndrome-error table for the Method 2). However, the keys could be 
generated by using a pseudo-random number generator algorithm. In 
that case the user may require only short seeds for keys S, P and the 
Syndrome-error table. This problem is not addressed here and it would 
be a topic for future work. 
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2.4. Application to JOEEC 

Recently Joint Encryption and Error-control Coding (JOEEC) was sug- 
gested [Rao '84a]. This approach combines data encryption and error-control 
coding steps into one step to gain speed and efficiency in implementation. 

The modified cryptosystems could also be implemented as JOEEC by us- 
ing higher distance codes. But the application to JOEEC of this approach is 
presently being studied. 



3. CRYPT ANALYSIS OF MODIFIED CRYPTOSYSTEMS 

The encryption algorithm (Eq. 2) can be rewritten as follows. 
C = (Af G' + Z) P 
= MG" + ZP 

where G" = G'P = [ g { " ] for i = 1. ... ,k, 
and is a row vector. 

The following lemmas help us to establish the high level of security pro- 
vided by this new approach. 

Lemma 1 : The number of P's that transform ATE's into non-ATE's is at 
least (n - - 1)! if 2 < t < j, where n is the length of 

ATE and t is the length of adjacent errors. 
Outline of Proof: Let vector V be an ATE of length n. We select a set of 

positions, {1, 2, t, 2t, bt}, from V where b = ■ We reorder 

these positions as an ordered set, B = {l, t, 2t, bt, 2}. This map- 
ping is illustrated in the figure below. 

V = H + + + h 1 (ATE) 

12 t 2t 3t bt n b = [jj 

B = {1, t, 2t, . . . , bt, 2} 

V = | + B + 1 (non-ATE) 

We consider a permutation map of vector V to V with B embedded in 
V. The purpose is to make V a non-ATE. This is achieved because B 
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contains at least one '1' separated by 'O's. Strictly B could start from 
any position of V and therefore, we have n-b-1 choices. In addition the 
number of permutations possible for V — > V of the remaining positions 
is (n-b-2)!. Thus the total number of permutations of transforming an 
ATE vector V to non-ATE vector V, N p can be shown to be at least 
N p = (n-b-1) * (n-b-2)! 

= (n-b-1)! QED. 

This formula gives a lower bound for N p of (n - 3)! when t = . 

Lemma 2 : The number of code generators combinatorially equivalent to a 
(n, k, 3) code generator is at least k!. 
Proof: Let G be a (n, k, 3) code generator in systematic form. 

G = [Ik P k,n-k] 

where Ik is an identity matrix and 

Pk,n-k is a parity check matrix. 

Then, there are k! row combinations of parity check matrix, which are 
distinct (n, k, 3) code generators also. All of these code generators can 
be obtained by row exchange and column permutation of G, and hence, 
are combinatorially equivalent to G [Peterson '72]. 

Lemma 3: The number of k*k non-singular matrices over GF(2), N s is given 
by 

N s = n 1 (2"-2 i ' > 2 k2 - k (Eq. 3) 

i— 0 

Proof: We can start with any non-zero vector for the first row of non- 
singular matrix S and we have 2* - l choices. The second row must be 
linearly independent of the first. That is we have 2* - 2 choices for the 
second row. For the third row the choice is any vector linearly indepen- 
dent of the first two. Clearly it has (2* - 2 s ) choices. Continuing this 
way, the number of non-singular matrices are given by the equality (Eq. 
3). Since there are k terms in the product, the smallest of which is 2*" 1 , 
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the inequality is easily proved. 

An attack by exhaustive search for S, G and P is considered hopeless task due 
to the results of above Lemmas. The previously described method of the 
chosen-plaintext attack (described in Section 1.2.1) can not be applied here be- 
cause the average Hamming weight of [Z x - Z 2 )P is about which is very 

large. Therefore, we have to look for a different method to cryptanalysis and 
it could be as follows. 



Let Cj and C k be two distinct ciphertexts obtained for the same plaintext M. 
Then C y = MG" + Z S P 

C k = MG " + Z k P 

C 3 -C„ = {Z,--Z k )P 
The above step provides one value for (Z s - Z k )P. This step needs to be re- 
peated until all possible pairs of Z's are used. The number of distinct Z's is 
given by 

N = -2- for the Method 1, 
2 

> n for the Method 2; 

and the number of possible distinct values of (2,- - Z,)P is N ~^ . 

An expression for jr," by a computation as described in Section 1.2.1 is given 

by 

Oi-C 2 = gr + {Z X -Z 2 )P 

Qi » = c, - C 2 - (Z l - Z 2 )P. (Eq. 4) 

Hence, every possible value of (Z f - Z,- )P should be tested for {Z x - Z 2 )P of Eq. 
4. Since the correctness of each row vector of G", g; , can not be verified in- 
dependently, the complete solution of G" should be obtained and verified. 
This involves on the average work factor, T given by 

Substituting for N, T can be shown to be fi (n 2 *)- Thus we establish the fol- 
lowing. 
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Claim : To determine G" from a chosen- plaintext attack (as discussed 
above) has a work factor T = ( n 2 *). 
It can be easily shown that the above step, namely, the determination of 
G" is the really dominant factor. Determination of P and Z vectors are 
straight forward after that. As of now, the analysis and procedure ex- 
plained seems to be the only possible approach to break the code and it 
requires an enormous work factor f2 (n 2 *). 

4. CONCLUSION 

We have introduced a new approach to the private-key algebraic-coded 
cryptosystems requiring only simple codes such as distance 3 codes. These 
systems will be very efficient because of high information rates and low over- 
head for encoding and decoding logic. The chosen-plaintext attack given here 
appears to be the only plausible approach for cryptanalyst. 

It requires a work factor Q (n 2k ) and is therefore, computationally secure 
even for small fc«s50. It will be a challenge to find alternate methods of attack 
which can be successful. 
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Abstract- The homomorphic structure of RSA signatures can impair security. Variations on a 
generalization of RSA signatures are considered with the aim of obviating such vulnerabilities. 
Of these variations, which involve a function of the message in the exponent, several are shown to 
have potential weaknesses similar to those of RSA. 

No attacks have been found for one of the variations. Its security does not depend on 
redundancy present in or artificially combined with messages. The same holds for a well-known 
use of RSA that relies on a one-way compression function. A comparison between the schemes 
is given. 

Introduction 

The RSA signature function is a homomorphism with respect to multiplication. This multi- 
plicative property can be useful, since it allows various powerful techniques, such as blind signa- 
tures [Chaum85]. However, the property also means a potential weakness for RSA signatures 
used in other applications, since it prevents some redundancy schemes from securing RSA signa- 
tures against attacks based on the property [DeJCh85]. 

One solution would be to find redundancy schemes that are able to resist such attacks. 
Another solution, which has been well-known in the folklore and offers some advantages, is to 
make use of a one-way compression function. A third approach is to try to find signature 
schemes that do not have such unwished for properties. This last approach is the main subject of 
this paper. 

The RSA digital signature scheme is extensively reviewed in section 2. Particularly, that 
section treats in some detail the aspects relevant to this paper: redundancy, chosen signature 
attacks, multiplicative attacks, chaining and compression. 

In section 3 a generalization of RSA signatures is introduced. This generalization 
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encompasses, besides RSA, various other digital signature schemes. The properties of one of 
these schemes are analyzed in section 4 and compared with RSA in section 5. 

1 . RSA signatures 

In the signature scheme of Rivest, Shamir and Adleman [RSA78], now widely known as 
RSA, each user chooses a large number n, which is a product of two large primes p and q, and a 
pair of numbers (e y d) such that e-d is congruent with 1 modulo <K")- Here, <f> denotes Eider's 
totient function and, since nhp-q, $(n) is equal to (p - 1) • {q - 1). Each user has to publish his 
n and e, but should keep secret his d. 

In RSA, a user A can construct a signature S A on a suitable numeric message M by com- 
puting S A (M) - M d * mod n A , where d A is A's secret and n A is A's published product. 

Since for other persons finding d A is as difficult as factoring n A (which is, as far as we 
know, infeasible for large, appropriately chosen n A ), only user A can compute S A (M) in practice, 
so long as he keeps his d A secret. As a consequence, anyone can substantiate a claim that A 
signed M if he can come up with S A (M). 

However, if somebody comes up with a number S and claims that it is M signed by A, one 
should be able to check whether indeed S is equal to S A (M). Since only A can produce S A (M), 
this check cannot be performed directly. But anyone can compute S eA mod n A using the public 
numbers e A and n A . If the result of this computation is not equal to M mod n A , then 5 cannot 
have been equal to S A (M), since 

{S A {M)f A mod n A = M d "' eA mod n A = M mod n A , 

Thus, if somebody comes up with a number 5 for which S' A mod n A is equal to M, then one 
should be convinced that A signed M, otherwise not. 

In RSA messages must be restricted to natural numbers less than n. (How to deal with 
larger messages will be explained in section 2.3.) Without this restriction, messages that are equal 
modulo n would have the same signature. Since n is publicly known, fraud would be too easy. 
One should not even use all numbers M with 0 < M < n for messages to be signed. 

1 .1 Redundancy to prevent a chosen signature attack 

Rivest, Shamir and Adleman recommended that n be about 200 decimal digits long, which 
amounts to about 664 bits. For concreteness and convenience, while retaining an ample margin 
of safety, we will assume for the rest of this paper that n is 800 bits long.* Thus, a message can 



* One cannot choose n arbitrarily large, since the practicability of RSA decreases as n increases, due 
to the increasing computational cost of exponentiation. 
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comprise as much as 100 bytes. 

A forger can choose a number S c , with S c < n A , and compute M c = (S c ) e * mod n A from 
it. Subsequently, he could claim successfully that S c is the message M c signed by A. Since 
exponentiation modulo n acts as a one-way function when tyri) is unknown, this chosen signature 
attack can be used for finding signatures on "random" (i.e., unpredictable) messages only. (In 
other words, nobody but A can make the signature on a chosen message, but anybody can deter- 
mine which message corresponds to a chosen signature.) 

To prevent such unpredictable messages from having a reasonable chance of being mean- 
ingful, it is necessary to have redundancy in the messages. Thus, a distinction will be made 
throughout the paper between messages and valid messages. All numbers M with 0 < M <n are 
messages, but only a very small fraction of these are valid messages. For example, if 100 bits of 
redundancy is used, a chosen signature will have only a chance of 2 ~~ 100 of corresponding to a 
valid message. Thus, finding a false signature (i.e., a signature on a valid message not actually 
signed by A) will cost 2" trials on the average, which makes a successful chosen signature attack 
infeasible. 

Finally, notice that messages need redundancy against a chosen signature attack because 
RSA is a readable signature scheme; i.e., a scheme whereby anyone can derive the message signed 
from the signature. 

1.2. Multiplicative attacks 

The need for redundancy in RSA messages has been established. To prevent a chosen sig- 
nature attack only the quantity of the redundancy present in valid messages is of interest. Still, 
the nature of the redundancy is also important, since RSA signatures have the property of being 
multiplicative. 

For example, suppose that person B can construct three valid messages M\, M 2 and Mj 
such that M 3 = (M\-M 2 ) mod n A . Then, if he succeeds in getting Mi and Mj signed by A, he 
can form the product (modulo n A ) of these signatures to get a false signature on M3, since 

S A (M 3 ) = (M l -M 2 ) dA mod n A 

= ((Aff 1 mod n A ) ■ (Mj 1 mod n A )) mod n A 

= (Sa(M\) ■ S A (M2)) mod n A . 

B can also use the inverse M~ l or the opposite -M of a message M of which he knows the 
corresponding signed version, as a factor in a product forming a new message, for, 
S A (M~ l mod n A ) = (S A (M))~ l mod n A and S A ((-M) mod n A ) = (-S A (M)) mod n A . (This 
last equation is true, because d A is known to be odd.) 

Thus, if B knows A's signature on one or more valid messages A/,, he can easily forge a sig- 
nature for any new valid message which he can discover how to rewrite as a product of 
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messages) M,, their opposite(s) -M h or their inverses) M~ x (all modulo n A ). (Notice that a 
message and/or its opposite and/or its inverse may occur in such a product more than once.) 
Therefore, the redundancy should prevent feasibility of discovering such valid messages. 

As already mentioned, the protection that a redundancy scheme offers against a chosen sig- 
nature attack depends only on the amount of redundancy. For protection against multiplicative 
attacks, however, the nature of the redundancy is also important, because the difficulty of finding 
valid messages that are products of other valid messages or their inverses can be different for two 
redundancy schemes, even if both use the same amount of redundancy. Indeed, for some redun- 
dancy schemes it seems feasible to find such combinations even though these schemes command a 
considerable amount of redundancy [DeJCh85]. 

For example, in two simple redundancy schemes each message must start (respectively end) 
with a sequence of, say, 100 zero-bits to be accepted as a valid message. Although these two sim- 
ple and well-known techniques to add redundancy make a chosen signature attack infeasible, they 
do not generally provide sufficient protection against multiplicative attacks [DeJCh85]. 

1.3. Chaining or compression 

Since our RSA only provides signatures on messages of at most 800 bits, some method is 
needed to make it also useful for larger messages. 

An obvious approach is to split messages up into appropriate parts, and then to sign each 
part separately. To ensure that the parts are not re-ordered, they should be chained in some way; 
i.e., each part should contain extra information linking it unambiguously to (an)other part(s). 

Another solution is to use a suitable, publicly known, one-way, compression function F c (see 
also section 4.4), which maps a message of any size to some 800-bit number, before applying the 
RSA signing function. Thus, ^4's signature on a message M then will be (F c (M)) d " mod n A . 
Note that the function F c indeed needs the one-way property. Otherwise, a person having 
acquired A's signature on some message could determine some (or all) other messages having the 
same signature, and could claim successfully that he got such messages from A. 

The one-way property of F c implies that the signatures have become unreadable (which 
means that the message cannot be derived from the signature), which has two implications. First, 
the message itself must be delivered together with the particular number which constitutes its sig- 
nature; i.e., a signed message consists of the pair (M , (F c (M)) dA mod n A ). Second, redundancy 
no longer has to be present in M to prevent the chosen signature attack. (Clearly, a chosen sig- 
nature attack does not work if it is infeasible to find a message for which the chosen bit pattern is 
a true signature.) Thus, any bit pattern may represent a valid message, and a signed message 
needs only 100 bytes more than the actual message (i.e., the original message without added 
redundancy) itself. Therefore, this scheme may be more (storage-)efficient than RSA with chain- 
ing, particularly for large messages. 
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In the case of RSA with chaining, each part of the message must be signed and/ or checked 
separately. Therefore, the costs of signing and/ or checking a large message is linear in its size. 
(Thus, if a message is, for example, three times as long as another large message, signing it costs 
three times as much as signing the other one.) When RSA is used with compression, after the 
compression only one part of 800 bits is still involved. Thus, if the computation required for the 
one-way compression can be made relatively cheap, RSA with compression will be more 
(time — )efficient than RSA with chaining (which subsequently will also be called: basic RSA). 

Although redundancy is no longer required to prevent chosen signature attack, some well- 
chosen redundancy may still be necessary to prevent a multiplicative attack. For example, this 
would be the case when the compression function F c is a homomorphism with respect to multi- 
plication modulo w on a considerable part of its domain; i.e., if for many M\ and M 2 : 
F c {M l -M 2 ) mod n = (F e (M l yF c (M 2 )) mod n. 

2. Generalized Exponentiation Signatures 

As explained above, the multiplicative property of RSA means in particular that one should 
be very careful in choosing a redundancy scheme. Instead of looking for a suitable redundancy 
scheme, we will try to solve the problem by finding a signature scheme that does not have such 
unwished for structure. Thereto, we introduce a generalization of RSA which uses functions of 
M and n in the base as well as in the exponent, while preserving the idea of choosing n as a pub- 
lic product of secret primes to keep <t>(n) secret. Thus, in this Generalized Exponentiation Signa- 
ture (GES) scheme, signatures look like: 

FdM,n) Fl(M - n) mod n. 

Since only knowledge of <t>(n) should provide the ability to make signatures corresponding to n, 
function F 2 is supposed to comprise at least the computation of an inverse in modulo <j>(n) arith- 
metic. 

Obviously, RSA is a special case of GES whereby F 2 is chosen to be a constant function 
always mapping to d = e~ x mod <K"), and whereby the function F\ comprises, for example, the 
redundancy mapping and/or the compression function. In the following, three other signature 
schemes, which are special cases of GES, will be investigated. The first two of these will be 
shown to give problems similar to those of RSA. The third variation of GES seems a more 
promising alternative to RSA. 

2.1 A first variation 

In our first example, F\ and F 2 are chosen to be M mod n and (M-d) mod <£("), respec- 
tively. (Note that it makes no difference at all whether F\ is chosen to be M or M mod n. Simi- 
larly, it is equivalent to have just M d for F 2 .) Thus, a signature looks like: 
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M Md mod n.* 

In this scheme the combination of a multiplicative property in the base (like in RSA) and an 
additive property in the exponent may seem to make it more difficult to tamper with signatures 
to produce a false one. However, the following counterexample shows that this scheme does not 
offer a significant improvement. 

Suppose one has two messages M \ and Af 2 signed by A. By raising the signature on M i 
to the power M 2 (in modulo n A arithmetic) one gets: 

(M\ M * d mod n A ) Ml mod n A — (M\ MiMzd ) mod n A . 

Similarly, one can raise the signature on M 2 by M \ . Multiplying both results gives A's signature 
on M\ -M 2 , for, 

(M M,M 2 d . (M2 M,AM ^ = (M]M2) <".^y mod „ A _ 

Thus, if one knows A's signature on one or more valid messages M it one can easily forge a 
signature for any new valid message that one can discover how to write as a product of 
messages) M t . Consequently, the only achievement is that the inverses of these M, cannot be 
used as factors in such products, as was the case with RSA (see section 2.2). 

2.2 A second variation 

In a second variation of GES, F\ and F 2 are chosen to map to a constant number C and 
to the inverse of M in modulo <j>(n) arithmetic, respectively. In this variation A's signature func- 
tion is: 

S A (M) = C^'^^mod*.,. 

(How to guarantee that the inverse needed in the exponent does in fact exist will be treated 
shortly.) 

At first sight this signature scheme might seem to offer excellent protection against tamper- 
ing, since the additive property in the exponent does no harm, because the inverse of a sum is, in 
general, not equal to the sum of the inverses. Thus, the following inequality usually holds: 

S A (Mi) • S A {M 2 ) ^ S A (M, +M 2 ). 

However, this signature scheme is open to the following attack. Suppose one has A's signa- 
ture on a valid message M which can be written as the normal integer product of some factors 
mi, m 2 , , m^. Thus, 

* This first variation of GES can also be considered to be an "RSA with compression" signature us- 
ing the compression function F C (M) — M M mod n. 
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S A (M) = C im,m > m ' r ' mod ^ ] modn A , 

By raising S A (M) to the power m| in modulo n A arithmetic, one gets S A {m2mi m^). Simi- 
larly, one is able to get a false signature on any other valid message that can be obtained from M 
by erasing one or more of its factors. 

Another point to consider with this signature scheme, already mentioned, was how to 
guarantee that the inverse modulo <K«)> which is used as exponent, does in fact exist. For any 
number x, its inverse modulo <p(n) exists only if x is co-prime with §(n); i.e., if gcd^x^n)) = 1. 
However, this restriction poses no serious problems, even though 4>(n) is known to always contain 
the factor 4. 

For example, A can choose his public product n A as follows. First he searches for two 
large primes p' A and q' A (roughly 400 bits each) such that 2-p' A + 1 and 2-q' A + 1 are also prime. 
Then A takes n A — p A -q A with p A = 2-p' A + 1 and q A = 2-q' A + 1. As a consequence, <K n A) 
be ^p' A -q' A , and thus almost all odd numbers will be co-prime with <p(n A ). To be more precise, 
the chance that an odd number is not co-prime with <H.n A ) is {p' A +q' A — 1) / (p' a'I'aX which is 
negligibly small (roughly 2 - 400 ). (Acceptably small probabilities might also be achieved when 
p' A and q' A have only large factors.) To get the number to be inverted to be odd, one could 
append a 1-bit to M before computing its inverse modulo <^n A ). Note that not only 2M + 1 is 
guaranteed to be odd, but also (2M + 1) mod <Kn A ), since <Hn A ) is even. 

The change of A's signature function to S A (M) = C (2M + l) ' mod, *" A) mod n A does not 
result in much more security against tampering. Suppose that 2M + 1 is known to be a product 

of some factors m\, rri2, , m^- The product of any subset of these factors then will be odd 

too, and thus will correspond to some other message M'. For example, if k > 2 one is able to 
get a false signature on the message M' — (m\mi — 1) / 2. 

A safer signature scheme results if a one-way function F 0 is used to change the signature 
function to S A (M) = c a ' F ° (M)+ 0 mod mod n A . Making the base number also depend on 
the message to be signed seems to be another way to improve safety. This approach will be 
investigated below. 

2.3. A third variation 

Trying to prevent the attack that appeared to be possible in the previous section, we now 
choose F[(M,n) = M mod n. For the exponent we use again Fi{M,n) = (2M + 1)~ 1 mod <K rt ). 
assuming that n is chosen appropriately as described in the previous section. This time, the Fi 
chosen is not only suited for solving the problems resulting from the fact that not every M has an 
inverse in mod <$>(n) arithmetic, but also prevents the following attack that still (!) would be pos- 
sible in case the signature function would be just M M mod mod n. 

Suppose one would like to get a false signature on the message M. First, one uses some P 
and Q to construct three messages M t = MP, M z ~ MPQ and M 3 = M 2 PQ. If one succeeds 
in getting A to sign M\, M 2 and M3, one can forge ^4's signature on M as follows. 



56 



Computing (S A (M2))® mod n A gives (MPQf MP ^ . Multiplying this with the mod n A 
inverse of S A (M\) gives Q <Af/>) . In a similar way, one can compute (MQf MF ^ from S A (Afi) 
andS A (M 3 ). Multiplying (M£>) (MP >~' with the mod n A inverse of Q lMI ">~' gives M^'' . This 
last number exponentiated with P gives S A (M) = M M . 

In the next section we will examine in some detail the properties of the more promising 
variation which uses F\(M,n) — M mod n and F 2 (M,n) — (2M + 1) -1 mod 4>(n). For conveni- 
ence, this last scheme will be called DJ. 

3. Some properties of DJ signatures 

3.1 . Fixed storage costs 

Naturally any GES scheme that uses a function F% which is really dependent on M is 
unreadable. Thus, DJ signatures are unreadable. Therefore, to give a person a message signed 
by A, one has to send him both the message M and A's signature on it; i.e., one has to send the 
pair ( M, M® 1 * + mod mod n A ). As a consequence, a signed message requires only 100 
bytes more than the message itself (independent of the size of the message, as explained below). 
This is the same as for RSA with compression. 

3.2. No need for redundancy in messages 

DJ signatures being unreadable also implies that messages need no redundancy to protect 
against a chosen signature attack. Since DJ signatures are not multiplicative, messages do not 
need some well-chosen redundancy to prevent a multiplicative attack either. DJ appears to have 
no other unwished for properties such as, for example, being additive. And so, it currently seems 
to be secure against other, similar attacks. 

3.3. No chaining required for large messages 

With DJ it is not necessary to restrict M to, for example, numbers less than n, as in case of 
RSA. Of course, all messages that are congruent modulo n and modulo <£(/t) will have the same 
signature. But this gives no problem, since 4(n) is supposed to be secret. So, the implicit 
compression that results from the reduction modulo </>(«), has the required one-way property. As 
a consequence, it is not necessary with the DJ scheme to use chaining or a separate compression 
function for signing large messages. Furthermore, it is likely that implicit compression is much 
easier (cheaper) to perform than separate compression, since a separate compression function is 
likely to involve a much more complex computation than just a reduction modulo 4>(n) of 
2M + 1. 
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3.4. Computational costs 

Because of the above mentioned implicit compression, forming a signature costs one 
exponentiation in modulo n arithmetic to an exponent of at most 800 bits. Thus, signing large 
messages is hardly more expensive than signing short ones. However, the same is not true for 
checking a signature. Since only the signer knows his <#>(«), checking a signature has to be done 
by first raising (in modulo n arithmetic) the given signature to the full 2M + 1 and then checking 
whether the result is indeed equal to M mod n. Thus, the cost of checking a signature is linear in 
the size of the message. (In the sense that checking a twice as large message cost twice as much 
work.) Recall that when RSA is used with chaining, the costs of signing and of checking are both 
linear in the size of the message, since each part of the message must be signed or checked 
separately. 

Of course, as with RSA, it is also possible to use a separate, publicly known, one-way, 
compression function F c . Then A's signature on a message M will be 
3/°* w+1 >~'^«"-> mod ,»,,.• 

If the computation required for such a separate compression can be made relatively inexpensive, 
it is advantageous to use it for DJ as well, since the second phase of checking then also consists 
of only one exponentiation to a number of at most 800 bits. (The first phase encompasses the 
computation of F C (M).) 

To show the different demands that RSA and DJ make upon the one-way function, we will 
digress now somewhat into the subject of one-way functions. A usual definition is that a function 
is called one-way if it is not generally feasible to find, for a given/, an x such that F(x)=y. 
However, in the context of cryptographic applications one often adds the requirement that, given 
some x, it should also be infeasible to find an x' with x'^x such that F(x') — F(x). 

Since we have chosen to use the function F c only in the exponent, the only requirement to 
be imposed on the compression function is that, when knowing some pair (x,y) for which 
F c (x)—y, it must be infeasible to find an x' for which x'^x, x' mod n — x mod n and 
F c (x')=y. Thus, with DJ the compression function has to be "one-way" only in a more res- 
tricted sense. As a consequence, it may be much easier to find suitable compression functions for 
DJ than for RSA. 



4. Comparison of DJ with RSA 

Both the RSA and the DJ digital signature scheme are a special case of a GES scheme. 
The basic form of RSA has several unpleasant properties. Since it only works for messages of 
less than \o&{n) bits, large messages must be divided into small parts. To prevent forgeries, it is 
necessary to include in each of these parts some bits comprising chaining information and redun- 
dancy, to prevent a chosen signature attack. Furthermore, since RSA signatures are 



* We prefer not to use F C (M) in the base as well. 
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multiplicative, the redundancy scheme to be used should be chosen very carefully to prevent suc- 
cessful multiplicative attacks. Thus, the security of basic RSA signatures (i.e., RSA with chain- 
ing) depends heavily on the quality of the redundancy scheme chosen. 

The following properties of DJ signatures give them considerable advantages over basic 
RSA signatures: 

• Messages and signatures are kept separate. 

• Since DJ signatures are unreadable and not multiplicative, messages need no redundancy to 
prevent a multiplicative attack or a chosen signature attack. 

• DJ signatures cost log2(«) bits beyond the size of the message. In practice, this means less 
than 100 bytes for a signature. 

• The costs for signing a message are more or less constant, because the implicit compression 
means that only one exponentiation to a number of at most log2 <t>(n) bits has to be per- 
formed, even for very large messages. (Thus, signing large messages is much cheaper with 
DJ than with basic RSA, since in the latter case such an exponentiation has to be per- 
formed for each part of the message.) 

• Every person has to publish only his product n. (The same holds for RSA if one agrees on 
everybody using the same public exponent e.) 

Another way to circumvent the disadvantages of basic RSA signatures is to use RSA with 
compression. This requires a publicly known, one-way compression function that also destroys 
the multiplicative structure. With respect to RSA with compression, DJ has only two advantages. 
The first is that DJ even works without using any compression function. (With DJ, compression 
is only useful for bounding the costs for checking signatures on large messages.) Second, a 
compression function has to meet less requirements in case of DJ than in case of RSA; for exam- 
ple, it is not crucial for DJ whether the compression function destroys multiplicative properties or 
not. On the other hand, RSA with compression has the advantage that signatures can be checked 
more economically if everybody uses a relatively small number e as the public exponent. It may 
be concluded that RSA with compression and DJ both seem to be good digital signature 
schemes, and that both are better than RSA with chaining. 

Summary 

It has been shown in [DeJCh85] that RSA signatures may be vulnerable to so-called multi- 
plicative attacks. In this paper we have shown a similar potential weakness in the special cases of 
the generalizations of RSA presented that use the functions M M ' d mod n, 
C (2M + 1)"' mod-Kn) mod w> and M w ' moA ^ mod n, respectively. 

A further variation is presented that, although it does not rely on the use of a one-way 
function, does not seem to be vulnerable to multiplicative or other attacks known to the authors. 
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Abstract: A cryptanalysi s is given of a cryptosystem 
introduced by J.J. Cade, which is based on solving 
equations over finite fields. 

In 1985 J.J. Cade [1] introduced a new public-key cryptosystem. The Cade crypto- 
system is a public-key cipher in which each block is a string of n binary digits or 

equivalently an element of the finite field IF . Because of the design of the 

2 n 

system n must be a multiple of 3, say n = 3c. The blocks are enciphered by a 
permutation of IF „ induced by a polynomial P e IF „[x] of the following form, 

P(x) = p 0Q x 2 + p 1( / +1 + p n x 2c < + p 2 / 2+1 + p 2 / 2 ^ + p 22 x 2 ^ 

where q = 2 C and Pqq, „ . „ ,p 22 e IF 3[x]. The six coefficients p 00 ,...,p 22 are the 
public-key. The trapdoor information is a decomposition 

3 

P(x) = S o M o T(x) mod (x q - x). (1) 
S and T are both linearized polynomials, 

2 

T(x) = a Q x + ajX q + a 2 x q , 

2 

S(x) = b Q x + b 1 x q + b 2 x q , 

where aQ,...,b 2 e IF 3 are the private key. 
q 

S and T are linear mappings of IF ,, considered as a vector space over IF and are 

q J q 

both chosen to be invertible. A necessary and sufficient condition for a linearized 
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r-1 i 

polynomial L(x) = J d.x q £ IF [x] to be invertible is that det A * 0, where 
s=0 1 q r 



J r-1 r-2 

d q d q2 
3 0 Q r-1 



d . d q , d q 
r-1 r-2 r-3 



r-1 



d 2 q 



.r-1 



In the Cade cipher we have q = 2 and r = 3. The set of linearized polynomials 

r 

over IF forms a group under composition mod (x" -x), called the Betti-Mathieu 

q 

group, which is isomorphic to the general linear group of nonsingular r by r 

matrices with entries in IF , see [3] for details on linearized polnomials. 

3 

We note that P(x) in (1) is obtained mod [x* -x). Therefore polynomial 
decomposition algorithms for finding the secret composition factors S, M and T are 

not applicable. M is the special monomial M(x) = x q+ * which is invertible 

3 c 
because (q+1, q -1) = 1 for q = 2 . T, M and S are easy to invert and so 

P~* = T~* o M"^ o is easy to calculate if one knows the private key. 

We now give a method for finding the private key ag,...^ in terms of the 

public key p QQ ,...,p 2Z . 

From (1) we have 



P o T -1 (x) = S o M(x) mod (x q -x) 



b n x q+1 + b„x q2+1 + b,x qZ+q 



"0* 



-1 



Because T is a linearized polynomial T will have the same form as T. 



T _1 (x) = a n x + a,x q + a„x q 



(2) 
In fact 



where 



a Q = (af +q + a q af)/A , 

2 2 
a l = (a 2 +1 + a 0 a l )/A ' 

a 2 = (a l +1 + a 0 a 2 )/A ' 



(3) 
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and A = +q+1 + af +q+1 + af +q+1 



2 2 2 

+ a 0 a q a q + a q a q a 2 + a q . 



We may then calculate P o T _1 (x). This has six terms and comparison of the 
coefficients of these terms with those in (2) yields the following equations 

2 2 

b 0 = Pl0 (a 0 +1 + "l^ + p 20 (a l +1 + a o4 ] 

2 2 
+ p 21 (a^ +q + a q ct q ) , 

2 2 

b 2 = p 10^ a 2 +1 + a 0 a l^ + p 2o' a O +1 + a l °i) 

2 2 
+ p 21 (a5 +q + a q a?,) , 

2 2 

b l = p 10 (a l +1 + ^ + P 20 (a 2 +1 + a 0 a l> 

2 2 
+ P 21 (a^ +q + a q a q ) , 



p 00 a 0 + P ll a 2 q + p 22 a i q + PlO^ 

2 2 
+ p 20 a Q a q + p 21 a q a q = 0 



p ll a 0 



2 2 
" q + p 22 a 2 q + P 00 a l + p 21 a 0 a 2 



+ p 10 a Q a 1 + p 2oai a 2 



q - 



2q 2 2 2q q 2 

P 22 a Q + p^ + p n a^ + p 20 c£ a 2 

2 

+ p 21 a q a q + p 1Q a q a 2 = 0 



Now if we raise the second and third equations of (5) to the powers q and q 

2 

respectively and put a = a Q , B = ajj, y = aj then we obtain 

Poo" 2 + p n s2 + p " y2 + p m aB + p ?n aY + p ?i Sy = 0 ' ' 



- 22 r 



P q 2 a 2 + p q 2 B 2 + P q n y 2 + p q 



10" 
2 



J 20 u 
2 



2 



p 00^ + p 21 ae + p 10 a ^ + P V Y = 0 > 



p 22 a2 + P OO s2 + p " "< Z + pq n ae + + p ?nBY = 0 



J ll' 



J 2(T 



J 2V 



'io 1 - 
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If one of a, B or y is zero then the equations are easy to solve. This can 
be detected a priori , e.g. if y = 0 then necessarily 



det 



Poo p ll p 10 
2 2 2 
Pll p 22 P21 



P 22 P 00 P 20 



Thus assume afty * 0. Because the equations in (6) are homogeneous we may assume 



Using two of the equations in (6) to eliminate the a term we obtain 
a(c 1 6 + c 2 ) + c 3 B Z + c 4 e + c 5 = 0 



(7) 



for some , . . . , Cg £ F y 

q 

If Cj = Cg = 0 then we have a quadratic equation for S. Such an equation can be 

solved by treating this case as an affine polynomial and use of the method described 

in [4, p. 103], or alternatively use the method of Exercise 4.44 in [4, p. 161], 

Otherwise we may substitute for a in one of the equations in (6) and so obtain 

a quartic equation for 6. A quartic equation over F may be solved by the method 

2 n 

described in Chen [2]. Equations (3) and (4) then give the values of aQ,apa 2 and 
bg.bpbg respectively. 

We understand from the originator of the Cade cipher that S. Berkovits has 
developed an alternative method of breaking the cipher. An improved version of the 
cipher has been presented at CRYPTO 86. 
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A MODIFICATION OF A BROKEN PUBLIC -KEY CIPHER 



John J. Cade 
2h Glnn Rd. 
Winchester, MA 01890 

Abstract 

A possible public-key cipher Is described and Its security against 
various cryptanalytlc attacks is considered. 

1. Introduction 

in this paper, we describe a possible public-key cipher. It is a 
modification of the public-key cipher that was proposed by the author 
[2] In April 1985, was broken by Berkovlts In August 1985, and was 
broken Independently by James, Lldl, and Nlederrelter in October 
1985. 

This modified cipher, like the original, Is a block substitution 
cipher that operates on binary messages. With this cipher, for a suit- 
ably large value of n, n-blocks of binary digits are identified with 
elements of the finite field GF(2 n ), and elements of 0F(2 n ) are enci- 
phered by means of a permutation of GF(2 n ) whose public description is 
as a polynomial function on GF(2 n ) which has a very high degree but 
only a few terms. 

We consider several possible cryptanalytlc attacks against the 
cipher. The most obvious attack consists of solving the polynomial 
equations of high degree over GF(2 n ) which relate corresponding n-blocks 
of plaintext and clphertext. Another possible attack consists of solv- 
ing the system of polynomial equations of high degree over GF(2 n ) that 
expresses the public key for the enciphering permutation in terms of 
secret trapdoor information about this permutation. 

A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPTO '86, LNCS 263, pp. 64-83, 1987. 
© Springer- Verlag Berlin Heidelberg 1987 



65 



For each cryptanalytlc attack that we consider, we give an esti- 
mate of the amount of computation required as a function of the ci- 
pher's block-length n. The estimates for all but one of the attacks 
are based on fairly complete and satisfying analyses of the attacks In 
question. Unfortunatley, however, for the attack by solving the system 
of equations that expresses the public key In terms of trapdoor infor- 
mation, the estimate Is based only on Indirect evidence obtained by an 
analysis of a simpler related system of equations. This attack will 
require further study, perhaps with the aid of a computer algebra sys- 
tem. On the basis of the estimates of the amounts of computation re- 
quired by the various cryptanalytlc attacks, It appears that the cipher 
provides adequate security with a block-length of n > 150. 

This paper Is organized as follows. In section 2 below, we de- 
scribe our modified cipher, in section 3, we prove that the encipher- 
ing and deciphering permutations used in the cipher axe Indeed mutually 
Inverse permutations. In sections 4 - 6, we describe various methods 
of cryptanalyzlng the cipher and we estimate the amounts of computation 
required by these methods. Finally, In section 7, we summarize these 
estimates and use them to determine a suitable block-length for the 
cipher. 

2. Description of the cipher 

Our cipher Is designed to encipher binary messages. Each such 
message is enciphered one n-block at a time, for a specified block- 
length n, by substituting for each plaintext n-block 1 a corresponding 
clphertert n-block y which Is given by y = P(x), where p is a certain 
kind of permutation of the set of all binary n-blocks. 

Because of the particular form of the enciphering permutations 
used In the cipher, the block-length n must be an Integer for which 
there exist integers S, V, and p such that n = 2S and S = 2Y => jp. 
Note that an Integer n satisfies this requirement if and only if n is 
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a multiple of 12. In the following, n, 8, Y, and (3 are understood to 
be as Just described. 

For the operation of the cipher, the set of all binary n-blocks 
must be Identified In some specified way with the finite field GF(2 n ). 
Then the public description of the enciphering permutation P consists 
of a 16-term polynomial formula for P having the form 

g=d h=0 s 

The coefficients p gh in this formula are publicly revealed elements of 
GF(2 n ) which constitute the public key for P. 

Although P Is a polynomial function of very high degree, P(x) can 
nevertheless be computed quite efficiently for each i € GF(2 n ). One 
way to do this is to use formula (2.1) written In the form 

and to compute the powers of x of the form it apearlng In this formula 
by doing k successive squarlngs. Computing P(i) this way requires a 
total of Just ( 11/12 )n squarlngs, 20 multiplications, and 15 additions 
In GF(2 n ). 

P(i) can be computed even more efficiently by using matrix-vector 
multiplication to compute various quantities which are the values of 
linear functions on GF(2 n ), where GF(2 n ) Is regarded as a vector space 
over Its smallest subfleld GF(2). To compute p(x) this way, first 
compute the quantities u 0 , u-j and Vj , v 2 , Vj given by 

_1 o-Yg+fl 
"h = zL Pgh 1 ^ » for h = 0, .... 3, 

rfh 

and v h = jr , for h = 1, 2, 3. Each of these quantities is a GF(2)- 
linear function of x, and so can be computed by doing a single matrix- 
vector multiplication involving an n x n matrix over GF(2) and an n- 
element vector over GF(2). Then compute P(x) by using the formula 
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3 

P(x) = u Q x + X u h v h . 
n=i 

Computing P(x) this way requires a total of just 7 matrix-vector multi- 
plications over GF(2), together with k multiplications and 3 additions 
In GF(2 n ). 

For the construction of enciphering permutations, GF(2 n ) and Its 
subfleld GF(2^) are regarded as vector spaces, of dimensions 4 and 2 
respectively, over their common subfleld GF(2 T ). To construct an enci- 
phering permutation, one first chooses at random two secret bases aj, 
.... a^ and , b^ of GF(2 n ) over GF(2^). One also chooses a 

basis e^ t e 2 of GF(2 l5 ) over GF(2 Y ). This last basis need not be kept 
secret and can be chosen to be whatever Is most convenient. The se- 
quence a lt a^, b^, b^, e^ , e 2 formed by these three bases 
constitutes secret trapdoor Information about an enciphering permuta- 
tion P that is specified by this sequence. We will call this sequence 
a trapdoor sequence for the permutation P. 

This permutation is constructed as follows. First, let 3^ and S 2 
be the GP(2' r ) -linear functions from GF(2 5 ) into GP(2 n ) such that S^ej) 
= aj and S 2 (ej) = aj +2 , for J = 1, 2. Next, let Tj and T 2 be the GP(2° r )- 
linear functions from GF(2 n ) into GF(2 5 ) such that 

T 1 (b J ) = re Jt for J = 1, 2 
lo, for 3 = 3, ^ 

and 

T 2 (bj) = r 0, for J « 1, 2 

lej_ 2 , for J = 3, ^. 
Finally, let M be the permutation of GF(2 S ) given by 

M(x) = x 2 ^ +1 . (2.2) 
Then the enciphering permutation P specified by the trapdoor sequence 
a^ a^, b lt b^, e^, e 2 is the function from GP(2 n ) Into 

GP(2 n ) given by 

P{x) = S 1 MT 1 (x) + S 2 MT ? (x). (2.3) 
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Here and In the following, we denote the composition of two or more 
functions by the Juxtaposition of their symbols. Thus, for 1 = 1, 2, 
SjMTjd) = SjOMoTjtx) = SjWT^x))). 

We note that the enciphering permutation p Just described does 
not determine a unique trapdoor sequence which specifies It. indeed, 
It can be shown that for each enciphering permutation, there are a very 
large number of trapdoor sequences which specify It. 

For the public description of the enciphering permutation P de- 
scribed above, P must be expressed as a polynomial function. To do 
this, first the functions S 4 and Tj are expressed as polynomial func- 
tions. The functions are given by the polynomial formulas 

y 

SjCx) = a 1Q x + a 11 x 2 , (2.4) 
where the coefficients a^ are the elements of GF(2 n ) uniquely deter- 
mined by the system of linear equations 

a io e j + a n e j = M*^* for J = if 2 - 



The functions are given by the polynomial formulas 
3 "vk 

T i (I) = £> bikl2 ' <2,5) 



where the coefficients b lj£ are the elements of GF(2 n ) uniquely deter- 
mined by the system of linear equations 

i b ik b j 2Ylr = W' for J = l > 4 - 

Once the elements a lk and b llc have been determined, the enciphering 
permutation P Is given by the polynomial formula (2.1), where the co- 
efficients p gh are given by 

-2_ 1_ ~Yk+B ,Yk 

Pgh - £ g a ik< b i,g-k> 2 < b i,h-k> 2 • < 2 - 6 > 

where \ _j = bj^ ^» for 1 = 1,2. 

We note that this polynomial formula for P can be derived by sub- 
stituting the polynomial formulas (2.4), (2.5), and (2.2) for the func- 
tions S^, T lt and M Into formula (2.3) and expanding the resulting 
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expression for P(x) as a polynomial In x, talcing Into account that re- 
peated squarlngs are automorphisms of GF(2 n ), and using the Identity 

= x to reduce the degree of this polynomial to less than 2 . We 
also note that the coefficients and bj^ In the polynomial formulas 
(2.4) and (2.5) for the functions 3^ and must be kept secret because 
a trapdoor sequence for P can be computed from them quite easily. 

To decipher a message which has been enciphered using the enci- 
phering permutation P, each ciphertext n-block y is replaced by the 
corresponding plaintext n-block x which Is given by x = P'^y), where 
P~l is the inverse of the permutation P. To obtain a formula for the 
deciphering permutation P -1 , one must know a trapdoor sequence a lf 

bj, bjj., e^ , e 2 for P. The permutation p _1 Is specified by 

this trapdoor sequence as follows. Let and U 2 be the GF(2 )-llnear 
functions from GF(2 S ) into GF(2 n ) such that ^(e^) = bj and U 2 (ej) = 

b J+2* for J = 1 » z ' Let v i 811(1 v 2 156 the G ? ( 2Y ) -1 l near functions from 
GF(2 n ) into GF(2 5 ) such that 

Vjtaj) « f e Jt for J = 1, 2 
1 0, for 3=3,^ 

and 
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V 2 (aj) = ( 0, for J = 1, 

C e^_ 2 , for J = 3, ^. 
Finally, let K" 1 be the inverse of the permutation M of GF(2 S ), which 
mean3 that M" 1 is given by 

M-^y) . y€, (2. 7) 

where € = 2^ -1 (2 2 ^ +2^-1). Then the deciphering permutation P -1 is 
given by 

P -1 (y) - U 1 M _1 V 1 (y) + U 2 M _1 V 2 (y). (2.8) 
Like the functions S± and . the functions and can be ex- 
pressed as polynomial functions. The functions are given by the 
polynomial formulas 

V X (T) ~ c 1Q y + c^y 2 , (2.9) 
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where the coefficients c llf are the elements of GP{2 n ) uniquely deter- 
mined by the system of linear equations 

°10 e J + c il e j 2 = u l< e j)« for J = 1. 2 « 
The functions V± are given by the polynomial formulas 
3 -vie 

ViCy) - XT d^y 2 , (2.10) 

where the coefficients d ik are the elements of GF(2 n ) uniquely deter- 
mined by the system of linear equations 



dik 8 ^ = v i( a ,))» for J = •••• 



The coefficients c lk and d lj£ in the polynomial formulas (2.9) and 
(2.10) for the functions X5y and Vj^ can be regarded as a secret private 
key for the deciphering permutation P" 1 . 

P -1 (y) can be computed for each y £ GF(2 n ) by using formula (2.8) 
together with the polynomial formulas (2.9), (2.10), and (2.?) for the 
functions Uj, , and M" 1 . An efficient way of doing this is based on 
the following formula : 

M^Vjty) = v 1 (y) z r v 1 (y) z /V^y)^ 

,3 -3B-1 ^Yk+Y-lw 3 ? 2p-l --Tk+od-lN 

XSjWL y ) . 

^-1 -Yk + p-l 



k=0 1J£ 

where d lf-1 = d lf -j and oi = n/12. To compute P _1 (y) efficiently using 

this formula, first compute the quantities z± and z 2 given by = 

M" 1 V 1 (y) by using the above formula and computing the powers of y of 
2 k 

the form y appearing in this formula by doing k successive squarlngs. 
Then compute the quantities Uj^z^ by using the polynomial formulas 
(2.9) for the functions Uj^ and again computing powers of the by re- 
peated squaring. Finally, compute P _1 (y) by adding U 1 (z 1 ) and U 2 (z 2 ). 
Computing P -1 (y) this way requires a total of Just (3/2)n - 1 squarlngs, 
30 multiplications, 2 divisions, and 21 additions in GF(2 n ). 

P _1 (y) can be computed even more efficiently by making use of 
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matrix-vector multiplication. To compute P _1 (y) this way, first com- 
pute the quantities t,, u, , and v. for 1 = 1, 2, where these quantities 

5-38-1 ,26-1 ,6-1 

are given by = V 1 (y) z r , Uj = V JL (y) z r , and ^ = V^y) 2 ^ . 

Each of these quantities is a GF( 2) -linear function of y, and so can 
be computed by doing a single matrix-vector multiplication over GF(2). 
Next, compute the quantities Wj and w g given by = M" 1 ^! y) = 
t i u l / ' v i* Then compute U^w^ and U 2 (w 2 ). For each 1, the quantity 
U 1 (w 1 ) is a GF( 2) -linear function of w^ , and so can be computed by 
doing a single matrix-vector multiplication over GF(2). Finally, com- 
pute P -1 (y) by adding U^Wj) and U 2 (w 2 ). Computing P" 1 (y) this way 
requires a total of just 8 matrix-vector multiplications over GF(2), 
together with 2 multiplications, 2 divisions, and 1 addition in GF(2 n ). 

For the security of the cipher, the trapdoor sequences used should 
be such that all the coefficients Pg^* a iic» b ik' "Hlc* and ^lk in tne 
polynomial formulas (2.1), (2>), (2.5). (2.9), and (2.10) for the 
functions P, S^, T^, U^, and are nonzero. It can be shown that, 
given any basis , e 2 of GF(2^) over GF(2 Y ), if elements a lt a^, 
bj, b^ are chosen at random from GF(2 n ), then it is virtually 

certain that a lt a^ and t>^, . .., b^ will both form bases of GF(2 n ) 

over GF(2 ni ') and that the sequence a^ a^, b^ b^, e^, e 2 will 

form a trapdoor sequence that satisfies the security requirements Just 
stated. 



3. invertlblllty of the enciphering and deciphering permutations 

We now show that the enciphering and deciphering permutations 
given by formulas (2.3) and (2.8), respectively, are indeed mutually 
Inverse permutations of GF(2 n ). 

Since the invertlblllty of these functions depends on the invert- 
lblllty of the function M given by formula (2.2), we first indicate 
why this function Is a permutation of GF(2 S ) and why M -1 is given by 
formula (2.7). Using the Euclidean algorithm and the relation 8 = 3fJ, 
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It can be calculated that gcd(2 5 - 1, 2^ + 1) = 1. Hence there exist 
numbers € satisfying the congruence (2^ + 1)6 = 1 mod(2^ - 1). If 6 is 
any positive solution of this congruence, then it follows from the 
identity x 2 _1 = 1, which is satisfied by all nonzero x €GF(2 S ), that 
M(x) 6 = X (2^+D 6 _ x for a n x £GP(2 S ). Thus M is a permutation of 
GF(2 S ), and M" 1 is given by M" 1 (y) = y e , where € is any positive solu- 
tion of the above congruence. It follows that M" 1 is given by formula 

(2.7) provided that the number € appearing in this formula satisfies 
the condition Just given. The Euclidean algorithm calculations men- 
tioned above can be used to find all the solutions of the congruence 
above. Of these solutions, the least positive one is exactly the num- 
ber € = 2^ _1 (2 2 P +2^-1) appearing in formula (2.7). Thus M -1 is 
Indeed given by formula (2.7). 

proposition. The enciphering function P given by formula (2.3) 
is a permutation of GP(2 n ) and the inverse of this permutation is the 
deciphering function given by formula (2.8). 

proof. Let Q denote the function on GF(2 n ) defined by formula 

(2.8) . To prove the proposition, it suffices to show that QP(x) = x 
for all x 6 0P(2 n ). Let a lf a^, b lf b^, e^, e 2 be a trap- 
door sequence for P that specifies the GP(2 ) -linear functions Sj_, T^t 
Uj, and appearing in formulas (2.3) and (2.8). Let X^ and Xg be 

the GP(2' v ')-subspaces of GF(2 n ) spanned by b^, b 2 and by b^, b^, respect- 
ively, and let and Y 2 be the GF( 2 Y ) -subspaces of GF(2 n ) spanned by 
a lt a 2 and by a-j, a^, respectively. Then GF(2 n ) = X x © X 2 = © *2* 
Now suppose that x £ GF(2 n ) is given, and let and x 2 be the unique 
elements of X^ and X 2 , respectively, such that x = x^ + x 2 . Then, for 
i = 1, 2, 

T^x) = T 1 (x 1 + X2) = T^Xj) + T 1 (x 2 ) = Tj/ij), 
where the last equality holds because T 1 (X 2 ) * T 2 (X 1 ) * 0 by the def- 
lnitlon of the functions T, . Also T. maps X t one-to-one onto GP(2 ), 
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M Is a permutation of GF(2 S ), and S± maps GF(2 S ) one-to-one onto Y t , 
so SjMTj maps Xj^ one-to-one onto Y i . Thus, letting y± » SjMT^Xj^, we 
have P(x) = + y 2 , with y± € Yj^ Next, to compute QP(x), we note 
that, for 1 = 1, 2, 

V 1 P(x) = + y 2 ) = V i (y 1 ) + V^y.,) = V 1 (y 1 ), 

where the last equality holds because V 1 (Y 2 ) = v 2^1^ = 0 by the def> ~ 
lnltlon of the functions V^. Hence 

QP(x) = U 1 M" 1 V 1 (y 1 ) + U 2 M" 1 V 2 (y 2 ) 

= UjM^VjSjMTjfXj) + U 2 M" 1 7 2 S 2 MT 2 (x 2 ) . 
Also both VjSi and M -1 M are the Identity map on GF(2 S ), and UjTj^ Is 
the Identity map on X^, so U 1 M" 1 V 1 S 1 MT 1 ( Xj^) = x^ Hence, for all 
x <=GF(2 n ), QP(x) = x 1 + Xg = x. Thus P Is a permutation of GF(2 n ), 
and P" 1 = Q. Q.E.D. 

Cryptanaly3ls by solving the equation P(x) = y 

In this section and the next two sections, we describe some pos- 
sible methods of cryntanalyzing our cipher by using public Information 
about the enciphering permutation. For each method that we consider, 
we give an estimate of the amount of computation needed. 

The first cryptanalytlc attack that we consider consists of solv- 
ing a given cltshertext message, enciphered using a known enciphering 
permutation P, by solving the equation P(x) = y for each clphertext 
n-block y to find the corresponding plaintext n-block x. We consider 
two methods of solving the equation P(x) = y. The first method is an 
exhaustive search procedure, while the seoond method is algebraic In 
nature . 

The exhaustive search procedure that we consider for solving the 
equation P(x) = y depends on the easily proved Identity P(wz) = 
M(w)p{z), which holds for all w G. GF(2" r ) and z e GF(2 n ). In view of 
this Identity, if a nonzero z €. GF(2 n ) can be found such that 
y/P(z) € GF(2' Y ), then the desired n-block x such that p(x) » y is given 
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by x = K -1 ( y/P( z) ) z. A nonzero z € GF(2 n ) has the property Just de- 

T 

scribed If and only If (y/P(z)) 2 = y/P(z). Such an element z can be 
found by an exhaustive search In which elements of GF(2 n ) are tested 
one-by-one until one Is found that satisfies this last condition. A 
minimal subset of GVi^ 1 ) that Is certain to contain an element z of 
the desired kind contains exactly one element of each different subset 
of GF(2 n ) of the form £wt : w eGF(2 T ), w 4 o], where t Is a nonzero 
element of GF(2 n ). There are approximately ?(3A)n &x<?n subsets of 
GF{2 n ), so the desired element z can be found after at most 2(3/ i+ ) n 
trials. We will regard each trial needed to find this element z as a 
single operation. Then It follows that at most approximately 2^^^ n 
operations are required to solve the equation P(x) = y by the exhaust- 
ive search procedure Just described. 

The second method that we consider for solving the equation P(x) 
= y is to regard this equation as a polynomial equation in x and to 
solve this equation algebraically. It appears that the most efficient 
way of doing this is to use the Euclidean algorithm to compute the 
polynomial in x which is the greatest common divisor of the polynomials 
P(x)- y and tt - x. To see what this accompllshs, note that, since 
P Is a permutation of GF(2 n ), the polynomial p(x) - y has a unique root 
x = r In GF(2 n ), and hence has a unique linear factor x - r over 
GF(2 n ). On the other hand, the polynomial x 2 * 1 - x is the product of 
all the linear factors x - a, with a € GF(2 n ). Hence the greatest 
common divisor of P(x) - y and x c - x Is exactly the linear factor 
x - r such that x = r is the desired solution of the equation P(x) = y. 
Thus to solve the equation P( x) = y, it is only necessary to compute 
this greatest common divisor. Using the Euclidean algorithm to do 
this, the required number of multiplications and divisions in GF(2 n ) 
is at most approximately (deg(P)) 2 /2. Thus we conclude that the equa- 
tion P(x) = y can be solved algebraically using the method Just de- 
scribed by doing at most approximately 2(H/6)n-l operations. 
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5. Cryptanalysls by determining a polynomial or rational formula for P -1 

Next, we consider a method of cryptanalyzlng the cipher that con- 
sists of determining a formula for the deciphering permutation P -1 by 
using public Information about the enciphering permutation P. We de- 
scribe two formulas for P" 1 that can be determined this way. The first 
formula expresses P -1 as a polynomial function, while the second for- 
mula expresses P -1 as a rational function, that is, as a quotient of 
two polynomial functions. We describe how each of these formulas can be 
obtained and we give estimates of the amounts of computation needed to 
do this. 

First, we describe how a polynomial formula for p - ^ can be ob- 
tained. It can be shown that p~l can be expressed as a polynomial 
function of the form 

p -1 (y) = 21 * k y k , 

where the coefficients w k are elements of 0F(2 n ), the Index set K Is a 
subset of the set {0, 2 n - l} which can be completely specified, 

and the number of elements In the set K satisfies Z n ^ <\k\ < 2 n//3+2 . 
This formula for P" 1 can be regarded as a system of 2 n linear equations 
which uniquely determines the coefficients in the formula. By mak- 
ing the substitution y = P(x) in this formula, an equivalent system of 
2 n linear equations can be obtained which have the form 
21 w.p(x) k = 

Note that this second system of equations can be formulated using only 
public information about the enciphering permutation p. Since the 
rank of this second system is the same as the rank of the original 
system, which Is \k\, and since \K\*C2 n , it follows that this second 
system can be reduced to a smaller system formed from it by choosing 
any subset of \k\ Independent equations. We will assume that such a 
smaller system can be obtained without any significant computational 
effort, which may well be the case. Then the determination of the 
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coefficients w^ in the polynomial formula for P" 1 reduces to solving 
this smaller system of equations. This system consists of \k\ equa- 
tions in 1 K 1 unknowns, so to solve It requires at most approximately 
|k]3/3 operations consisting of multiplications and divisions in 
GP(2 n ). Hence, since \ K | ^ 2 n ^, we conclude that it takes at most 
approximately operations to solve for the coefficients w^, and 

thus to determine a polynomial formula for P _1 . 

Next, we describe how a rational formula for P _1 can be obtained. 
The rational formula that we consider has the same form as the rational 
formula for P" 1 that is obtained by expanding formula (2.8) for P -1 (y) 
as a rational function of y, making use of the polynomial formulas 
(2.9) and (2.10) for the functions U A and described in section 2, 
and expressing the function M -1 by the rational formula M -1 (y) = y /y , 
where £ = 2^~ 1 (2 2 P + 2^) and n) = sP" 1 , The rational formula for P" 1 
Just described has the form P _1 (y) = Q(y)/R(y), where Q and R are both 
nonconstant polynomial functions, Q(0) = 0, and R(y) 4 0 for all non- 
zero y £ GF(2 n ). Furthermore, It can be shown that' Q and R are given 
by polynomial formulas having the forms 

Q(y) » X ^(kjy* 
k€K Q 

and 

R(y) - H WpfiOy*, 

k€K R ^ 

where the coefficients w.(k) and w D (k) are elements of GF(2 n ), the 
index sets Kq and K R are subsets of the set £o, . . . , 2 n - 1^ which can 
be completely specified, and the numbers of elements in the sets Kq 
and K R satisfy Z n/J < \ K^t ^ 2 n/3+3 + 64 and 4 < \k r \ ^ 16. Now If 
the formula P _1 (y) = Q(y)/R(y) is rewritten as P -1 (y)R(y) - Q(y) = 0, 
If the substitution y = P(x) is made, and If the above polynomial for- 
mulas for the functions Q and R are used, then the result is the equa- 
tion 

nf-UJPfx)* - YL w Q (k)P(x) k = 0 
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which holds for all x € GF(2 n ). This equation can be regarded as a 
system of 2 n homogeneous linear eouatlons that are satisfied by the 
elements Wq(k) and Wfl(^) and that can be formulated using only public 
Information about the enciphering permutation P. Conversely, if a set 
of elements w Q( k ) and w H (k) of GF(2 n ) forms a nonzero solution of this 
system of equations and If the functions Q and H on GF(2 n ) are defined 
by the polynomial formulas given above , then the function H Is not 
Identically zero and p -1 Is given by the rational formula P -1 (y) = 
Q(y)/R(y) for all y 6 GF(2 n ) such that B(y) 4 0. Thus a rational for- 
mula for P" 1 can be obtained by finding a nonzero solution of the sys- 
tem of linear equations given above, and furthermore such solutions 
exist. 

Since the rank of this system of 2 n equations is at most 
\ Kq\ + |k r | - 1, which is less than ?P, this system can be reduced to 
a smaller system which has the same rank and consists of equations 
chosen from the original system. We will assume that such a smaller 
system consisting of \Kq\ + \k^\ - 1 equations can be ob- 
tained from the original system without any significant computational 
effort. Then the determination of the coefficients WqC^) and Wg(k) In 
a rational formula for P -1 reduces to solving this smaller system of 
\k^\ + iKjjl - 1 linear equations In \k q \ + \k^\ unknowns, which takes 
at most approximately (|k^| + \lC R \)^/3 operations. Hence, since 
|Kq| + |Kg|^> 2 n /3 f vre conclude that it takes at most approximately 
(2 n )/3 operations to determine a rational formula for P -1 of the kind 
described above. 

6. Cryptanaly3ls by finding a trapdoor sequence 

The last method of cryntanalysis that we consider consists of 
using the public key for a given enciphering permutation P to deter- 
mine a trapdoor sequence for it. We consider two ways of finding such 
a sequence: first by exhaustive search, and second by solving the 
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system of equations (2.6) algebraically. We describe how each of these 
approachs might be carried out and we give estimates of the amounts of 
computation required. 

The most efficient exhaustive search procedure for finding a trap- 
door sequence for P appears to be as follows. First, choose the ele- 
ments e lt e 2 of the sequence to be any convenient basis of GF(2 S ) over 
GP(2 T ). Next, test one-by-one bases ^ , b^ of GF(2 n ) over GF(2 Y ) 

until a basis Is found which Is the b^, b^ part of a trapdoor 

sequence for P whose e^ , e 2 elements are the ones Just chosen. To 
test a given basis b^ t b^ for this property, let the GF( 2' ) -linear 

functions 1^ and T 2 be defined In terms of b^, . .., b^, e^ e^ as de- 
scribed In section ? , and solve for the coefficients b^ In the poly- 
nomial formulas for these functions given by equation (2.5). Next, 
find all the solutions for the elements a ll£ in the system of equations 
(2.6). Note that these solutions can be found by linear algebra, since 
this system is linear In the a lk . The solutions, If any, of this sys- 
tem are then tested one-by-one to determine whether any of them Is 
such that GF(2 n ) can be expressed as GF(2 n ) = S 1 (GF(2 5 )) + S 2 (GF(2^)), 
where and 3 2 are the GF(2 ) -linear functions from GF(2 n ) into 
GF(2 n ) defined In terms of the elements a lj£ . by formula (2.3). Now the 
basis bj_, b^, which is being tested for the property of being the 

b^ , b^ part of a trapdoor sequence for P whose e^, e 2 elements 

are the ones chosen, has this property if and only If there exists a 
set of elements a lk that satisfies the system of equations (2.5) 
and that satisfies the condition stated above. As soon as such a basis 
bj . b^ and a set of elements a^ has been found, a complete 

trapdoor sequence for P can be produced. The b 1 , b^, ej, e 2 part 

has already been obtained, and the a^ . . . , part of the sequence Is 
given by 8j = s i< e ,j>« ToT J = 1, ?, and by = S 2 (e.j_ 2 ), for J = 3» 
where the functions 3^ are as described above. 

A minimal set of bases b^ , .... b^ that is certain to contain a 
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basis of the desired kind Includes, for each different enciphering 
permutation, exactly one basis that is the b 1 , b^ part of a trap- 

door sequence for the permutation whose e^, e^ elements are the ones 
chosen. It can be shown that such a set of bases contains approximate- 
ly 23 n- 3 bases, so at most approximately 23 n- 3 trials are required to 
find a trapdoor sequence for P by the exhaustive search procedure de- 
scribed above. It appears likely that, for each basis b^, b^ 
tested, either there Is no solution at all for the elements Sj^j or 
else the basis is the h^, b^ part of a trapdoor sequence for p of 

the desired kind and there is only one solution for the elements a^. 
In view of this, we will consider the testing of a single basis as be- 
ing a single operation. Thus we conclude that at most approximately 
2^ n ~3 operations are required to find a trapdoor sequence for P by the 
exhaustive search procedure described above. 

Finally, we consider finding a trapdoor sequence for a given enci- 
phering permutation p by solving algebraically for a set of elements 
a ll£ and b 1]£ of GP(2 n ) satisfying the system of equations (2.6). First, 
we note the connection between solutions of this system of equations 
and trapdoor sequences for P. If a set of elements aj^ and bj^ of 
GF(2 n ) satisfies this system of equations and if GF( 2^) -linear func- 
tions Sj^ and from GF(2 n ) into GF(2 n ) are defined In terms of these 
elements by equations (Z.k) and (2.5) . respectively, then P can be ex- 
pressed in terms of these functions by equation (2.3). Furthermore, 
there exists a trapdoor sequence for P which specifies these functions 
If and only if these functions satisfy the conditions 

GF(2 n ) = S 1 (GP(2 5 )) © S 2 (GF(2 5 )) = ker^) © ker(T 2 ) 
and GF(2 S ) = range(T 1 ) = range(T 2 ). If the functions Sj^ and 1^ sat- 
isfy these conditions and if e^ e 2 is any basis of GF(2 B ) over GF(2 r ), 
then a trapdoor sequence for P which specifies these functions is given 
by aj, .... a/j,, b^ , t^, e^ , e 2 , where, for J = 1, 2, aj = S^(ej), 

and, for J = 3, >+, aj =* s 2^ e J-2^» 801(1 where » for J = 1 » 2 » b j ls the 
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unlqui element of ker(T 2 ) satisfying Ti( b j) = s y and, for J « 3, 4, 
bj Is the unique element of kerfT^) satisfying T 2 (bj) = e j_2.* fol- 
lows that the system of eauatlons (2.6) has many solutions for the 
elements a^ and bj^, since there is a different solution arising from 
each different traodoor sequence for P having fixed e^ , e 2 elements, 
and there are perhaps other solutions as well that do not arise from 
any tra-odoor sequence for P . We will assume that all solutions for 
the elements a^ and b lfc do In fact arise from trapdoor sequences for 
P. Then, to find a trapdoor sequence for p, it suffices to find a 
single solution of the system of equations (2„6) for the elements a llc 
and bj^. 

In order to estimate the amount of computation required to solve 
this system of equations algebraically. It is first necessary to deter- 
mine the most efficient method of algebraic solution. As already 
noted, this system of equations is linear In the elements a ll£ » Hence 
it appears that the most efficient way to solve this system is to first 
simplify It as much as possible by eliminating these unknowns. This 
is exactly the method that was used by Berkovlts and by James, Lidl, 
and Nlederrelter to solve the corresponding system of equations assoc- 
iated with the original version of our cipher. It was in this way that 
they broke that cipher. 

For the system of equations (2.6), there are many possible ways 
in which the unknowns can be eliminated, and each of these ways 

must be tried in order to find the best way of simplifying the system. 
Unfortunately, to try all these ways would require a forbidding amount 
of computation, although It could probably be done fairly easily using 
a suitable computer algebra system. To get around these difficulties 
in analyzing this system of equations, we consider instead a different 
system of equations that presumably requires less computation to solve. 
This system of equations is associated with a class of permutations of 
GP(2 n ) that are somewhat simpler than the enciphering permutations used 
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In our cipher but which have the same general structure. These simpler 
permutations axe obtained by modifying the enciphering permutation con- 
struction described in section 2 by changing the relationship between 
5 and T from 8 = 2T to <S = T. The effect of this change is to convert 
the polynomial formulas (2.10 and (2.5) for the functions and T t 
from 2 terms to 1 term and from 4 terms to 2 terms, respectively. 
The resulting permutation P is then given by a polynomial formula hav- 
ing Just 4 terms, rather than 16 terms as in our cipher. The system 
of equations that corresponds to the system of equations (2.6) and that 
relates the polynomial coefficients p gh of ? to the polynomial coeffi- 
cients a 1]£ and b 1Jc of the functions and has the form 

Pgh « a 10 b lg 2 b lh + a 20 b 2g 2 b 2h» for *. h = °. 1 » 

Now we consider how this system of equations can be solved. Note 

that, like the more complicated system of equations (2.6), the above 

system of equations is linear In the unknowns a^ 0 and a^O* Henc * lfc 

appears that the most efficient way to solve this system is to first 

simplify it as much as possible by eliminating these unknowns. Of the 

various ways to do this, the best way appears to be one that leads 

fairly directly to a single polynomial equation H(B 1 ) = 0 of degree 

2 2 P + 1 In the single unknown = b ic/ b ll* Jt appears that the amount 

of commutation required to solve this equation is at least the amount 

required to compute the greatest common divisor of the polynomials 

9 n o 
H(B 1 ) and - Bj. This requires approximately iesW&i) ) / 2 oper- 

ations, which is approximately 2 ( ' Z ^^ n ~ 1 operations. We will take this 
amount as our estimate of the amount of computation required to find a 
trapdoor sequence by solving the system of equations (2.6) algebral-r 
cally. 

An obvious question now arises. Since the estimate Just given is 
based solely on the properties of the corresponding system of equations 
for the simpler permutations described above, why not use these simpler 
permutations as enciphering permutations? Unfortunately, this cannot 



82 



be done. The reason for this is that, for such enciphering permuta- 
tions, the deciphering permutations can be expressed by a rational 
formula corresponding to the rational formula described in section 5 
for the deciphering permutations used In our cipher, and there are at 
most 12 terms in this formula. Thus, as Indicated in section 5, the 
coefficients In this formula can be determined by doing at most approx- 
imately 12^/3 operations. This number of operations Is far too small 
to provide any security, and hence the simpler permutations desorlbed 
above cannot be used as enciphering permutations. 

7. Summary of the cryptanalytlc attacks and conclusions 

The following table summarizes the estimates of the amounts of 
comt>utatlon required by the various cryptanalytlc attacks discussed 
In sections ^ - 6. 

method of attack 

1. solving the equation P(x)= y: 

a. by exhaustive search 

b. algebraically 

2. finding a formula for P _1 : 

a. polynomial 

b. rational 

3. finding a trapdoor sequence: 

a. by exhaustive search 

b. algebraically 

According to the above table, the most effective attack 
against our cipher Is to solve algebraically for a trapdoor sequence 
for the encinhering permutation. This attack Is estimated to require 
at most 2( 2 /3) n-1 operations, so the block-length n of the cipher must 
be chosen so that this amount of computation is unfeasible. We will 



maximum number of 
operations required 

2 (3A)n 
2 {ll/6)n-l 

(2 n )/3 
(2 n )/3 

2 3n-3 
2 (2/3)n-l 
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assume, somewhat arbitrarily, that the maximum feasible amount of 
commutation Is the number of operations performed by a computer that 
does 109 

operations per second for a period of 10 years. This amounts 
to a total of 3 x 10 1 ? operations. We multiply this by a safety factor 
of 10 12 - to arrive at the figure of 3 i 10 2 9 operations as an unfeasible 
amount of commutation. Hence the block-length n must be such that 
2 (2/3)n-l > 3 x 10 29 s 2 ° 8 . Thus we conclude that a suitable block- 
length for our cipher is n > 150. 
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Abstract 

Recent research in cryptography has led to the construction of several pseudo-random bit generators, 
programs producing bits as hard to predict as solving a hard problem. In this paper, 

1. We present a new pseudo-random bit generator based on elliptic curves. 

2. To construct our generator, we also develop two techniques that are of independent interest: 

(a) an algorithm that computes the order of an element in an arbitrary Abelian group; and 

(b) a new oracle proof method for demonstrating the simultaneous security of multiple bits of a 
discrete logarithm in an arbitrary Abelian group. 

3. We present a new candidate hard problem for future use in cryptography: the elliptic logarithm 
problem. 

1 Introduction 

This paper describes a method for producing pseudo-random bits based on the elliptic logarithm problem. 
The paper contains background on elliptic curves and pseudo-random bit generation, two new results of 
independent interest, and the construction and proof of a pseudo-random bit generator. This section gives 
an overview of the paper. 

1.1 Motivation and overview 

Recently considerable progress has been made in formalizing the theory of pseudo-random number gen- 
eration based on computational difficulty [BM84] [Yao82] [GGM84] [Lev85], However, the generality of 
this theory (finally based on one-way functions in a weak sense [Lev85]) is in sharp contrast with the 
very few concrete candidates for one-way functions. Discrete logarithm and integer factorization (of which 
quadratic residuosity and inverting RSA are special cases) are essentially the only hard problems on which 
to build one-way functions. One of the main contributions of this paper is that it introduces a new hard 
problem different than those previously studied. Since cryptography stimulates mathematical research, it 
is interesting to note that ours is one of the first cryptographic tools based on 20th century mathematics. 
In simplest form, an elliptic curve is the set of solutions (x,y) to an equation 

y 2 = x 3 + Ax + B (1) 

over the finite field with p elements, where p is a prime. A well-known result is that the points on an elliptic 
curve form an abelian group under an additive composition operation called "tangents and chords." We 
use the group structure to apply the main ideas of the Blum-Micali generator in an entirely new context. 

In the Blum-Micali case, the hard problem is "discrete logarithms" modulo p: given 5,} 6 Z*, find 
a such that y = g" modulo p. In our case, the hard problem is "elliptic logarithms" on an elliptic curve 
modulo p: given points G, Y, find a such that Y = aG. 

Despite the similarity of the statements and of the names, we are dealing with two very distinct 
problems. First, the structure of elliptic curve groups differs greatly from those groups previously studied. 
Second, the representation differs: points on elliptic curves require two coordinates. Third, while there 
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are closed formulas for computing the order of Z* and other groups, there are no such formulas for elliptic 
curves. To summarize, elliptic logarithms involve entirely different mathematics. (They are also conjectured 
to be harder to compute than discrete logarithms [Mil85a].) 

To construct a pseudo-random bit generator based on elliptic curves, and to prove that the bits it out- 
puts are as hard to predict as solving the elliptic logarithm problem, is not a straightforward generalization 
of previous work. The differences pointed out above make previous constructions and proofs inadequate. 
In developing our construction and proofs, we also develop several related results. 

1. We construct a novel method of finding the order of an element of an Abelian group. 

2. We also introduce a new proof technique that generalizes proofs of bit security to abelian groups of 
arbitrary structure. 

3. Furthermore, we lay the foundation for the development of cryptosystems using elliptic curves directly. 

We make use of Lenstra's new factoring algorithm based on elliptic curves [Len85] [Bac85] (which, at 
first glance, would seem more suitable to break cryptosystems than to construct them!). Lenstra's algorithm 
has the remarkable property that its running time depends on the size of the smallest prime factor of its 
input. This allows us, for instance, to find elements that generate an abelian group quickly with negligible 
probability of error. This solves a major problem encountered in earlier constructions of pseudo-random 
bit generators. We believe ours is the first cryptographic application that exploits the special features of 
Lenstra's algorithm. 



2 Background 

2.1 Number theory- 
Let <p(N) be the Euler totient function, the number of integers N or smaller relatively prime to N . Rosser 
and Schoenfield [RS62] give a lower bound for N > 3 of 

& > (2) 
JV ~ 61nlniV 1 ' 

2.2 Groups 

A group G is additive if its composition operation is written +; multiplicative if written x (or implied). 
Abelian is a synonym for commutative. In an additive group, we write ax to denote repeated composition 
of i with itself a times; in a multiplicative group, i'. Given an element x in G, we say the order of x, 
written orderG(i), is the smallest positive integer a such that ax = 0, where 0 is the identity element of G. 

Definition 1 Let G be an additive Abelian group. A generating set for G is a set 

{(9iM--;(9k,Nh)}, 9ieG,Ni> 1, (3) 

such that every element x e G can be written uniquely as 

x = aiji + • • • + a k g k , 0 < a, < N f . (4) 

We say a generating set is canonical if Ni + i divides JV,- for 1 < i < k. Every Abelian group has canonical 
generating sets. Furthermore, the sequence Nt , . . . , N). is the same for all canonical generating sets. The 
rank of G is the cardinality of its canonical generating sets. Thus we may speak of the r-tuple (gi , . . . , g r ), 
where r is the rank, as a generating tuple for G. If the rank is 2, then we have a generating pair {g\,gi); 
and if the rank is 1, then we have simply a generator g. 

Also observe the isomorphism 

Zjy, x -x Z Nr . (5) 
To every x e G there corresponds a unique r-tuple. We call this the index tuple, and it is defined as 

index (z) = (ai, . . ., o r ) <=*• x = a-igi + • • -a r g r . (6) 

G.gi g r 
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For groups with rank 2 and 1, we have the index pair and index. In any group, we also write 

index(z) = a i = ay, (7) 

for arbitrary y, but this may not be defined for all x. 

The following are results of the lower bound on tp(N) (equation 2). 

Lemma 2 The probability that an element x has maximum order in G is at least 

61nlniV (8) 

where N\ > 3 is the maximum order. 

Lemma 3 Let G be a group with JV elements, and let r be its rank. Then the probability that (xi, . . . ,ir) 
is a generating tuple is at least 

I (9) 

assuming each Ni > 3. 



3 Elliptic curves 

Elliptic curves, like many other topics in number theory and algebraic geometry, enjoy a rich history as well 
as recent applications to computer science. As Cassels writes, "It has exercised a fascination throughout 
the centuries and the number of isolated results is immense" [Cas66]. The study of elliptic curves has led to 
a solution of the Congruence problem [Kob84], and a "Riemann hypothesis" [Cho65] [Jol73]. More recently, 
Lenstra has proposed a novel factoring algorithm using a group law that relates the points of an elliptic 
curve [Bac85] [Len85], This same group law is the basis for Miller's "elliptic logarithm" adaptation [Mil85a] 
of the Diffie-Hellman key exchange protocol [DH76], and for the primality certification of Goldwasser and 
Kilian [GK86]. 



3.1 Definition and notation 

In simplest form, an elliptic curve is the set of (x, y) solutions over a field K to the equation 

E : y 2 = x 3 + Ax + B, (10) 

where A, B e K, (x, y) 6 if 2 , and 4A 3 + 27 B 2 £ 0. Most elliptic curves can be expressed this way, called 
Weierstrass form. Much study in this century has been devoted to elliptic curves over the fields C, R, Q, 
Z [Cas66] [Cho65] [Ful69]. Also of interest are elliptic curves over finite fields and their algebraic closures, 
F, andEV [BMP 75] [Scb.85] [Tat74]. 

An elliptic curve may also be defined in projective coordinates, as 

E : y 2 z = i 3 + Axz 2 + Bz 3 , (11) 

where A, B G K and the discriminant 

A = 4A 3 + 27B 2 ± 0 (12) 

in K. 

The point (z, y, 1) in projective coordinates corresponds to the point (x,y) in affine coordinates, where 
1 is the unit of the field K. The point (0, 1,0) corresponds to a point at infinity on the elliptic curve in 
affine coordinates. 

Let E(K) denote the set of solutions of the curve E over the field K, together with the point at infinity, 
denoted 0. A well-known result is that E(K) is an abelian group under a composition operation called 
"tangents and chords." The description of this operation is easiest for E(R). Any line in R 2 intersects the 
curve E in either zero or three points. (A point of tangency is counted twice, the third point of intersection 
for a vertical line is considered 0.) The composition of points P and Q, written P + Q, is the reflection of 
the third point colinear with them. Thus 0 is the identity. Figure 1 illustrates this operation. 

Most of the group axioms are easily verified; to show £(R) is associative requires certain theorems of 
algebraic geometry [Ful69]. Since the composition operation can be expressed as a rational polynomial 
function, it can be generalized from R to any field. We will assume for analysis of algorithms that we can 
compose points on an elliptic curve E(F P ) in time 0(n 2 ), where n = logp. 



87 



3.2 Group structure 
Lemma 4 E(F P ) has rank 2. 

Proof. This follows from a morphism with C/L, where C is the complex plane and £ is a lattice. Since 
two generators are sufficient for the lattice, two are sufficient for the elliptic curve. ■ 

Lemma 5 If £(F P ) £ Zjv, x Zjv 5 , where N 2 divides Ni, then N 2 divides p - 1. 

Proof. This is a fairly deep result. See, for example, Cassel's survey [Cas66]. ■ 

Lemma 6 The only points of order 2 on an elliptic curve are 0 and those with y-coordinate 0. 

Proof. By definition of composition, if P = (x, y) then —P — (x, -y), since they lie on the same vertical 
line. Points of order 2 are self-inverse, and thus P = 0 and P = (x, 0) are the only solutions. ■ 

3.3 Simple case 

Definition 7 The simple case of elliptic curves consists of those curves over a finite field F p 

E : y 2 = i 3 + B (13) 

for which p = 2 modulo 3 and B j= 0. 

We show several useful properties. 

Lemma 8 Then to every y-coordinate in F p there corresponds exactly one point on an elliptic curve E(F P ) 
in the simple case. 

Proof. For any y 6 F p , the point ( \/y 2 — b, y) is on the curve. Since p = 2 (mod 3), cube roots are 
unique and therefore there is exactly one point for each y. m 
Corollary. N p = p + 1. 

Lemma 9 Let E(T P ) be an elliptic curve in the simple case. Then E(T P ) is cyclic. 

Proof. By lemmas 4 and 5, E{T P ) S Z N , x Zjy 2 , where NiN 2 = p+ 1 and N 2 divides p - 1. Thus JV 2 
must be either 1 or 2. But E(F P ) has only two points of order 2, (v / --5',0) and 0, so N 2 must be 1 and 
the group is cyclic. ■ 

4 Pseudo-random number generators 

Recent research in computational complexity has led to the notion of a cryptographically strong pseudo- 
random bit generator. Yao formalized this notion in terms in information theory [Yao82], and Blum and 
Micali gave sufficient conditions for constructing a generator, together with a concrete example using 
discrete logarithms [BM84]. Later, direct constructions were obtained for generators based on the RSA 
cryptosystem [ACGS] and the quadratic residuosity problem [BBS83]. Levin made research more formal 
with his study of weaker sufficient conditions and necessary conditions [Lev85]. 

A pseudo-random bit generator is interesting in at least two ways. First, it provides a source of 
randomness indistinguishable in polynomial time from a truly random source, and therefore it can be used 
reliably in probabilistic algorithms. In fact, Yao shows that the existence of such a generator implies 
that any randomized polynomial-time algorithm can be simulated by a deterministic sub-exponential-time 
algorithm [Yao82]. Ajtai and Wigderson generalize these results to probabilistic constant-depth circuits 
[AW85]. Second, a generator can be used both in public- and private-key cryptosystems; in the latter case, 
it is the polynomial-time equivalent of the "one-time pad," an ideal, provably secure cryptosystem. 
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4.1 Sources 

We borrow the following definitions, slightly modified, from Yao's paper. We assume that probability 
distributions are uniform, and therefore refer to sources simply as sets of strings. 

Definition 10 A source 5 is a set of strings of equal length. A source ensemble S is a sequence of sources 

Si ,Sz, If f (n) is the length of the strings in S„ and f(n) < £ (n +1), then the source ensemble is called 

uniform. 

Definition 11 The truly random source ensemble 7c = -fli , il2» • • •> where each Rn is the set of all strings 
of length n. 

4.2 Statistical tests 

Definition 12 A statistical test is a probabilistic algorithm that takes as input a string and outputs either 
0 or 1. 

Let T be a statistical test, and let S = Si,S-2, ... be a source ensemble. We say that S passes the 
statistical test T if for all polynomials Q(n), for n sufficiently large, 

| Pr[T(x) = 1 | x e S„] - Pr[T(x) = 1 | * 6 *»]| < (H) 

We say that S passes all polynomial-time statistical tests if it passes all such T that run in time 
polynomial in the lengths of their input. 

4.3 Approximation 

Definition 13 Let / be a set of strings, let 6:/ -* {0,1} be a predicate, and let e : N —■ [0,1/2] be a 
function. We say an algorithm b t : I — ► {0, 1} e- approximates b if for each n, 

Pr[6(x) = W(x)\ > 1/2 + €(n), (15) 

where the probability is taken over coin flips in b c and x of length n in J. Such an algorithm is called an 
f-approximator for b. 

Let Tq(n) be the running time of any algorithm that l/Q(n)-approximates 6 on inputs of length n. We 
say a b is unapproximable if for all polynomials <3(n), T<j(n) grows faster than any polynomial in n. 

4.4 Sufficient conditions 

Definition 14 Let J be a set of strings, and let b:I — <• {0,1} and /:/ —* I he functions. Consider the 
source ensemble S where S n is the set of strings 

b(f(s))ob(f- l (s))o.-.ob{f{3)), (16) 

where s S / of length n is chosen uniformly at random. If S is uniform, polynomial, and passes all 
polynomial-time statistical tests, then then {/, /, 6) is called a Blum-Micali pseudo-random bit generator. 

Theorem 15 Let / be a set of strings, and let b: I ~* {0, 1} and f:l -* I be functions. Also let /„ be the 
subset of I containing strings of length n. Then (/, /, b) is a Blum-Micali pseudo-random bit generator, if 

1. (friendship) 6(/(x)) is computable in time polynomial in |x|. 

2. (stability) f is a permutation, |/(x)| = |x|, and /(x) is computable in time polynomial in |x|. 

3. (accessibility) There is an algorithm that, given an integer n, selects elements i£/ n uniformly (if 
any exist) in time polynomial in |x|. 

4. ( unapproximability) b is unapproximable. 

Remark. Yao and Levin propose conditions less strict than these. In particular, Yao replaces / with an 
sequence of probability distributions. Levin shows that / need not be a permutation. 

One condition which we will make less strict is accessibility, by allowing the algorithm to have negligible 
error. That is, the algorithm may output x £ /„ with probability asymptotically less than any inverse 
polynomial in n. 
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5 A new tool for finding generators 

Finding a generating set for an Abelian group G is important both in the definition of pseudo-random bit 
generators, and in applications such as the Diffie-Hellman key exchange protocol. There are several parts 
to the problem: 

1. finding the cyclic decomposition of G; 

2. computing the orders of elements; and 

3. testing that elements are "linearly independent." 

We present in this section a new tool for solving the second part of the problem. Let G be an Abelian 
group, let N be its order, and let n = log TV. The main result is an algorithm that uses polynomially-many 
(in n) group operations in G to compute the order of an element x € G, with negligible probability of error. 
For this method to be applied to a group, the group must have an efficient (i.e., polynomial-time) algorithm 
to perform group operations, and its order (number of elements) must be known. Our order-computing 
algorithm utilizes Lenstra's new factorization algorithm [Bac85] [Len85]. 

The outline of this section is as follows. An intermediate result, a partial factorization algorithm using 
Lenstra's algorithm, appears in section 5.1. We then apply this algorithm in section 5.2 to show how to 
approximate the order of an element i£G. Finally, we present an example of a generating algorithm that 
uses the results in section 5.3. 



5.1 Partial factorization 

We now present a polynomial-time algorithm that extracts all "small" prime factors of an integer N, using 
Lenstra's factorization algorithm. Throughout the discussion, assume that N is fixed, and let n = log TV. 
Recall that Lenstra's algorithm yields a factor p of N in expected time 0(i(p) N ^ +0 < 1 'n 3 ), time, where 



L(p) d = eV^pinlnp ( 17 j 

We will make much use of the key feature of LenstTa's algorithm, which is that its running time depends 
on the smallest prime factor. Pomerance observes that this feature can "usually" be applied to determine 
whether a number is smooth with respect to some bound k, i.e., whether all its prime factors are less than 
or equal to k [Pom85]. Using this technique, it is also possible to find all prime factors less than or equal 

to k. 

It is not known whether Lenstra's algorithm is able to find all prime factors. This depends on a 
conjecture concerning the distribution of smooth numbers. If this conjecture is not true, then there may 
be certain primes that Lenstra's algorithm never finds. In this case, the probability of error is no longer 
negligible. We assume the conjecture is true for the course of discussion. Indeed, Lenstra and others call 
this assumption "reasonable" [Len85] [Bac85]. 

This application of Lenstra's algorithm is significant, because to find small factors or to test smoothness 
using previous methods would require time proportional to k or to -Jk. With the new technique, it 
is possible to find small factors in polynomial time for much larger k, asymptotically greater than any 
polynomial in n. Algorithm small-factors, in figure 2, shows one way to do this, and the following theorem 
formalizes the observation. 

Theorem 16 Let N be an integer and let n = logjV. Algorithm small-factors finds all factors of N less 
than or equal to re ' Iln / lnlj:ln i n time polynomial in n, with negligible error. 

Proof. We prove the theorem in three steps. First, we expand L{k) to determine the expected time to 
find a single small factor of N . Second, we show how to make the probability of error negligible for a single 
small factor. Finally, we analyze the expected time to find all small factors using algorithm small-factors. 
Expanding L(k) for k = nW^inn gives 



L(k) = e 111 n v'( 21jl 11171-111 111 111 "J/ 111 111,1 (18) 

Thus, for sufficiently large n, 

L(k) < e^ 1 "" = n^ 5 , (19) 
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and L(k)^ = 0(n 2 ). Therefore, the expected time to find a factor smaller than n lnn / lnlI " , , if one exists, 
is 0(n 5 +°< l >). 

If M is sufficiently large in step 2 of the algorithm, then with high probability we find a factor smaller 
than n lnn / lnlnn j if one exists. Consider the process of finding such a factor as a Bernoulli process, since each 
trial in Lensta's algorithm has the same probability of success, and these probabilities are independent. 
Let li be a random variable representing the time between successes; then 

E[h) = 0(n s+ °M). (20) 

Using a Poisson approximation [Dra67] we have, 

Pr[/i > nE[h]] = e-\ (21) 

If we set the M as 0(n s+o ^ 1 ' 1 ), then the probability of error is negligible. 

We conclude the analysis as follows. Since JV has at most n factors counting multiplicity, we run step 2 
at most n times. Each takes time 0(n 6+0 ( 1 '), so the total running time is 0(n T+0 < 1 >), which is polynomial. 
The probability of error is e~ n is negligible. ■ 

5.2 Approximating the order of an element 

We now present a probabilistic algorithm that determines the order of an element of an Abelian group in 
polynomial expected time with negligible probability of error. First we discuss an algorithm to determine 
the order of an element x, given the complete factorization of N, the order of G\ then we analyze a similar 
algorithm in the case when only partial factorization is known — the small factors determined in section 
5.1. 

Without loss of generality, we assume that G is cyclic. If it is not cyclic, then the analysis and results 
would apply to the subgroup of G generated by x, where N is the order of the subgroup. 

5.2.1 Determining order with complete factorization 

Algorithm with-complete-factorization, in figure 3, shows how to determine the order of x 6 G given all 
factors of N. We prove two lemmas about this algorithm: first, that it is correct; and second, that it runs 
in polynomial time. 

Lemma 17 Algorithm with-complete-factorization is correct. 

Proof. By a corollary of the Chinese Remainder Theorem, each x & G corresponds to a tuple in Z Pi x 
• • • x Z Pr , i.e. 

i«(ii,...,i,),ii6Z |) «,. (22) 
For each i, computing (;V/pf')x has the bisection 

47*"(°. 0)- ( 23 ) 

Pi 

Finding the smallest pf' for which (Npf' /pf')z = 0 is the same as finding the order of x in Z p =, . Since the 
p, are pairwise relatively prime, the order of i is the product of the orders of in Z p »i , and the algorithm 
is correct. ■ 

Lemma 18 Algorithm with-compltte-factorization uses polynomially-many (in n) group operations. 

Proof. Since N has has no more that logiV prime factors, counting multiplicity, ai + • • • + a* < n. Thus 
the number of computations of the form {Np?' /p°')x is at most n. Each computation requires 0{n) group 
operations, using successive doubling. Thus, 0(n 2 ) group operations are needed, in all. • 
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5.2.2 Determining order with partial factorization 

Suppose only partial information is known about the prime factors of N. Consider the modified version 
of algorithm with-complete-factorization, called with- partial- factorization (figure 4). Again, we prove two 
lemmas about the algorithm: first, that its probability of error is negligible; and second, that it runs in 
polynomial time. 

For the first lemma, assume that m = pjj*^ ■ • - p"', p; prime, p,- < p, +1 , and without loss of generality 
assume p* < Pk+i- One may ask, what is the probability that the algorithm errs, i.e., outputs o, where 
o ^ ordered)? 

Lemma 19 Algorithm with-partial-factorization errs with probability at most n/pk+i, where pk+i is the 
smallest prime dividing m. 

Proof. Suppose orderG(x) = p? ! • ■ -pf', 0 < ft < a,-. How does the algorithm behave? There are three 
cases. 

Pk+i ' " 'P?' - m ! correct answer, o — pf 1 • ■ -pf'm = orderc;(x). 
2 - Pk+i ■■■pf' - 1; correct answer, o = pf 1 • • •pf* = orders )- 
3. 1 < pflj.* 1 • • -pf 1 < m; incorrect answer, o = pf 1 • • •p£*m ^ orderG(x). 

To find the probability of the third case, consider the subgroup S of elements whose orders divide iV/m, 
and the quotient group G/S. Since G is cyclic, the order of G/S is m, and G/S = Z m . The number of 
elements of order neither m nor 1 in G/S is m - ¥?(m) - 1. The probability of an incorrect answer is exactly 
the probability that an element of G/S has order neither m nor 1, or 1 - <p(m)/m - 1/m. 

An upper bound for the probability can be determined by expanding ¥>(m) and observing that I — k < n, 
since each index represents a distinct prime factor. 2 Expanding <p(m) gives 

= 1- TT (24) 
m m * + t<i<i P< m 

We can compute an upper bound on this value, as follows: 

1_ TT ELll.L < ^(EtiLZl)'-* < iz± < _!!_. (25) 

This is the probability of error stated in the lemma, so we are done. ■ 

Lemma 20 Algorithm with-partial-factorization uses polynomially-many (in n) group operations. 

Proof. The proof is similar to that for algorithm with-complete-factorization. The running time is no 
greater, since the partial factorization of N has no more factors than the complete factorization. Therefore, 
0(n 3 ) group operations are sufficient. ■ 

The two lemmas lead to our main result, that 

Theorem 21 Let G be an Abelian group with an efficient composition operation, let x be an element of 
G, and let n = log N where JV is the order of G. Using Lenstra's factorization algorithm, given i and N , 
it is possible to compute the order of x in G in time polynomial in n with negligible error. 

Proof. Let p/t +1 = n lnn '' Ijlbln ; then algorithm small-factors can compute a partial factorization of the form 
needed for algorithm with-partial-factorization in time polynomial in n, with negligible error. Assuming 
iV is in this partially-factored form, the probability of error in computing the order is n i-iWlnlnn^ w y cn 
is negligible. By lemma 20, the algorithm runs in time polynomial in n, if G has an efficient composition 
operation. ■ 

By lemma 2, the subset of G consisting of those elements of maximum order is non-negligible. Thus 
we have a corollary to the theorem. 

Corollary. Let G, x, n and JV be as in theorem 21. Using Lenstra's factorization algorithm, it is possible 
to test whether an element x of G has maximum order in time polynomial in n with negligible error. 



3 Knuth and Trabb-Pudo observe that an integer N has at most n/logn distinct factors [KT76]; this is a stronger bound 
for i - k. One may also show that I - k < n/logpn+i. However, the weak upper bound is adequate for the proof. 
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5.3 An example 

We now present an example of a generating algorithm. The algorithm, cyclic-generating-test (see figure 5, 
operates on the family of multiplicative groups modulo p, where p is a prime, and tests whether an element 
is a generator. The test is a straightforward application of algorithm with-partial-factorization. If G has 
N elements, then we can apply with-partial-factorization to answer, with negligible error, the question, 

"Is orderc(i) = N?" 

If the answer is "yes," then with high probability, i generates G. This is a result of the corollary to theorem 
21. (It is interesting to note that if the answer is "no," we cannot make the claim of high probability, 
because the subset of G consisting of those elements not of maximum order may be negligible.) 

6 A new oracle proof technique 

This section presents a new method of proving the equivalence of predicting the value of a single bit of a 
discrete logarithm, and computing the logarithm itself. If computing the logarithm is a "hard problem," 
then the method is strong enough to prove that O(logn) bits are simultaneously unapproximable, where 
n is the length of the logarithm. The method requires only that the group is Abelian, and that its cyclic 
decomposition is known. 

The novel idea in the oracle proof technique is a notion of "correlation" that provides a measure of 
closeness to the correct logarithm. This measure can be used to obtain information about the range of 
values an index may take; by refining this information, the index can be found. 

Previous methods for proving such theorems used properties of a group which are not always available. 
In particular, the Blum-Micali proof method [BM84] (and others based on it, e.p.[LW83]) required that the 
order of the group be even and used "quadratic residuosity" and square root operations. Although there is 
a square root operation for elliptic curves (since composition is defined by rational polynomials), the order 
of the group may be odd, and therefore previous methods are not applicable. Furthermore, elliptic curve 
groups may be non-cyclic, a condition not encountered in previous proof methods. 

6.1 Preliminaries 

Definition 22 Let G be an additive, Abelian, cyclic group with N elements, and let g be a generator of 
G. (Thus G a Z N .) The half bit of the index 6 GlS ,o: G — Z 2 is defined as 

fl, if index G ,i,(i) > .V/2; 
*Grf.o(*)=( 0i ifindeXG5(l)<i v/2. (26) 

The half bit can also be called the most significant bit of the index. Other "most significant bits" can 
be defined recursively; the :-th most significant bit ba, g ,i'G — » Zj is denned as 

b G , 9 ,i(x) = 6 G , SM _ 1 (2x). (27) 

In the discussion following, the group G and the generator g are assumed fixed, and the shorter notation 
6,(i) is used. The main theorem of this section is 

Theorem 23 Let G be a cyclic group with an efficient composition operation, let j be a generator of 
G, and let n = log:V where jV is the order of G. Let e > 0,0 < i < n. The following problems are 
probabilistically reducible to each other in time polynomial in n, e~ l and 2': 

1. Compute index(x). 

2. Compute 6,(z) correctly for 1/2 + e of x 6 G. 

The reduction of the second problem to the first is obvious. The following sections discuss the reduction 
in the other direction: the ''oracle proof technique." The reduction is so named because such theorems 
traditionally have been proved by constructing an algorithm to compute index(i) using an oracle that 
"guesses" one bit of the index with probability 1/2 +■ e. 

Computing bi(x) correctly for a fraction of x £ G can be described more formally, in terms of approx- 
imation (see section 4). In particular, let &i i£ be an e- approximator to 6;. Recall that G and g are fixed. 
We use the notion of approximation to define correlation. 
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Definition 24 Let xi and x 2 be elements of G. The i-th bit correlation of i t and x 2 , /?,, e :G x G -* 
[-1/2, 1/2], is defined as 

pUx\,*i) = £ Pr[6<(ii + rj) = 6,-, £ (z 2 + r 5 )] - i, (28) 

where r is a uniformly-distributed random variable taking integer values between 0 and N - 1. 

Lemma 25 The following are true for all integers k and elements x x and x 2 of G: 

(approximation) Pi, t ( x i, I i) ^ f 

JV 2* +1 

(periodicity) \p i ^(x 1 ,x 2 ) - Pi , e ( x i + (fc^ls.^)! < — 

(symmetry) | Piit ( Il)l2 ) + + + _jLj 5>IJ )| < Hi., 0 < fc < 2*' ( 29 ) 

2'+i 

(locality) \piA x i + S.^s) ~ Pi,e(si.x 2 )| < -j^-. 

Proof. (Approximation) Observe that by the definitions of correlation and approximation, 

p { , e (x, x ) = Pr[i,(z + r<?) = b^( x + rj)] - i > e. (30) 

(Periodicity, symmetry and locality) View the correlation as a piece-wise constant function on a circle, 
taking values 0 and 1. (See figure 6.) 

Comparing p;, s (xi, z 2 ) to Pi, c ( x i + Axi9,x 2 ) amounts to rotating the circle by Aii and comparing it 
to itself. However, since Aii is an integer, the rotation may cause regions to overlap slightly. In other 
words, one comparison in each contiguous region of 0's or l's may yield an "erroneous" value. Since there 
are at most 2 ,+1 such regions, we arrive at the stated limits. ■ 

6.2 Algorithms and analysis 

We now present three algorithms to show the proof: algorithms estimate-correlation in figure 7, decide- 
square-roots in figure 8, and compute- in dex in figure 9. We also analyze their running times and probabilities 
of error. 

6.2.1 Estimating correlation 

By choosing random values for r, it is possible to estimate the correlation very well. First, we present 
an algorithm that does this estimation; then we analyze its running time and probability of error. The 
algorithm, estimate-correlation, appears in figure 7. 

Lemma 26 Let 6 be a positive real number, and let ^(cjr, x), a random variable, be the estimate produced 
by algorithm estimate- correlation using M samples. If M > (~ 1 S~ 1 ^, then for all c and x, 

?r[\t,Ac9, x )-pUc9, x )\>l}<6- ( 31 ) 

Proof. Let c and i be fixed, and write £ = £, tt (cg,x). Then, since the estimate is the average value of a 
Bernoulli process, we have 

E[Z} = P Ucg,x); (32) 
*l = JfEm-E[t\)<± (33) 

By the weak law of large numbers, 



™-m>$sjitfozjh <s > (34) 
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as stated in the lemma. ■ 

It is of significance to note that the upper bound on the probability of error is independent of the values 
of c and x, and of any other estimations made. This is because the estimation randomizes over r, and S is 
an upper bound regardless of the value being estimated. 

As an application of this lemma, we show that it is possible to estimate the correlation very well in 
polynomial time. 

Lemma 27 Using polynomially-many (in n, e" 1 and S~ l ) coin flips, group operations and oracle invoca- 
tions, algorithm estimate-correlation errs by e/2 or more with probability at most S. 

Proof. Selecting M = t -1 * -1 / 2 , we use 0(<r 1 <5~ 1 '' 2 7i) coin flips and group operations, and 0(£~ l £ -1 / 2 ) 
oracle invocations, as follows. The first step of the algorithm computes M n-bit numbers, requiring O(Afn) 
coin flips. The second step uses the oracle once per trial, or M times, and each computation of rjg requires 
0(n) group operations, using successive doubling. The time to compute bi(cg + rjg) (since c and r,- are 
known) and x + r^g is comparatively small. ■ 



6.2.2 Deciding square roots 

We now present an algorithm to "decide square roots," a key method in determining the logarithm. Let 
[a, 6] denote the interval between a and b, inclusive, where a and 6 are real numbers. When o and 6 are 
sufficiently close, it is possible answer the question, 

"Given that index(2 ,+1 x) € [2 i+1 a, 2 i+1 6], is index(2 i i) in [Va, 2 ; 6] or in [2*'a+ JV/2, 2^+^/2]?" 

Lemma 28 Let [o, 6] be an interval with 

0<a<6<a + ^l-3<^ r , (35) 

and let c be the integer closest to (a + f>)/2. Let 6 be any positive real number. If index(2 ,+1 x) € 
[2*' +l o,2* +l 6] and index(2'x) € [2*'a,2 ( &], then for M > e^S' 1 ' 3 , 

Pr[e,-, e (c( ? ,i)<0]<«. (36) 

Proof. The hypothesis index(2*x) e [2*a,2'6] implies 

index(x)e |J [ 0 + + (37) 

0<i<2' 



Then for some value of k, it is true that 

s 



« + L*5T J " mdex(x)| < 6 * + (38) 



Furthermore, because p, it is periodic, 



N 2 ,+1 
\p,, c (cg + k—g,x) - Pi, t (cg,x)\ < — — (39) 



for all k. By lemma 25, 



2'+ 1 £, _ a + 1 2' +1 e 

bi. £ (cff , x) - pi, £ (index(i) ? , z)| < — + — < -. (40) 

Consequently, we have a lower bound on the correlation, 

Pi,i(cg,x) > |. (41) 
Using the estimation algorithm with Af > e -1 £ -1 / 2 , we arrive at 

Pr[fc, e (e ? ,z) <<)]<*, (42) 

proving the lemma. ■ 

Using these observations, we construct an algorithm decide-square-roots (see figure 8) to answer the 
initial question. 
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Lemma 29 Given x, and assuming that index(2' +1 x) e [2 ,+l a,2 ,+1 6], algorithm decide-square-roots is 
correct with probability > 1 - 6, where 6 is the error bound in estimating the correlation. 

Proof. The probability of error is less than S , whether index(x) e [2'a, 2'b] or index(i) € [2'a + N/2, 2*6 + 
N/2}. Since these are the only intervals in which the index may lie, the algorithm is correct with probability 
> 1 - S. Furthermore, by lemma 27, the algorithm, runs in time polynomial in n, e -1 and i -1 ' 2 . ■ 

6.2.3 Computing the index 

Algorithm compute-index (figure 9) computes the index of x by successively restricting the range of indexes 
in which index(2- 7+ 'i) may lie. To show that this algorithm runs in polynomial time, we determine the 
probability that the restricted range for index(i) is incorrect, assuming an initial range for index(2" + 'x) 
is correct. By showing the probability is sufficiently small, we determine that in few iterations of the main 
part of the algorithm, we can find the index. 

Lemma 30 Algorithm compute-index finds index(i) using polynomially-many (in n, € _l and 2') expected 
coin flips, group operations and oracle invocations. 

Proof. Suppose the interval [a,b] selected in step 1 is correct. By lemma 29, the probability of choosing 
the next [a, b] correctly in step 2 is at least 1-6. Thus, the probability of success in n consecutive choices 
is 

(1 -<$)"> 1-nS, (43) 

since probabilities are independent by the definition of the estimation algorithm. 

If [o, 6] contains index(2'x) upon entering step 3, then [a, b] contains exactly one integer, because step 
2 reduces b — a by a factor of 2 each time. Thus 

»-.<^-3)<^r<i m 

upon entering step 3. Step 4 then recovers the index. 

To determine the running time, observe that there are about 2 ,+l e _1 intervals, so the expected number 
to search is 2'e -1 . Further, if S = l/2n, then the probability of success in equation 43 is at least 1/2, 
"and thus two trials of step 2 are expected given the correct interval. In all, 2' +1 e~ 1 trials of steps 1-3 are 
expected. Since algorithm decide-square-roots and all other operations are polynomial in n, e -1 and S~ x / 2 , 
algorithm compute-index is polynomial in n, e" 1 and 2'. ■ 

6.3 Proof of main theorem 

Finally, we complete the proof of the main theorem. Lemma 30 shows that an ^approximator for 6; can 
be used to compute index(x) in polynomially-many coin flips, group operations and oracle invocations. If 
the group has an efficient composition operation, we have a probabilistic polynomial-time reduction from 
index computation to ^approximation, and the theorem is proved. ■ 

6.4 Extensions 

The oracle proof technique is easily modified to handle non-cyclic groups and to show the simultaneous 
security of O(logn) bits. 

7 Simple case of elliptic curves 

In a restricted class of elliptic curves, it is possible to construct a pseudo-random bit generator in a relatively 
straightforward manner. This restricted class has certain properties that make the construction and proofs 
easy. The intent of discussing this class is to provide a simple application of the sufficient conditions for 
pseudo-random bit generation, which will set a better foundation for the general case in section 8. 
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7.1 Statement of theorem 

Definition 31 Let £(F P ) be an elliptic curve in the simple case (section 3.3), and let G be a generator. 
Then {E(F P ),G} is a curve-generator pair. 

We say an algorithm solves the elliptic logarithm problem for a curve-generator pair (E(F P ),G} if for 
every P € E{F P ) it computes index^y ) iG (P) correctly. Let Q(n) be a polynomial, and let T<j(n) be the 
running time of any algorithm that solves the elliptic logarithm problem for at least a fraction 1/Q(n) of 
all curve-generator pairs, where n is the length of p. By Miller's arguments [Mil85a], we have 

Conjecture 32 (Simple elliptic logarithm intractability assumption) Tg(n) grows faster than any 
polynomial in n. 

This leads to our main theorem. Let an instance of the simple case be a tuple 

(E(F P ),G,P), (45) 

where E(F P ) is an elliptic curve in the simple case, G generates E(F P ), and P is a point on the curve. The 
set of all instances where p is an n-bit prime is denoted I n . 3 

Theorem 33 Let / be the set of instances in the simple case. Let / and b be denned for an instance 
* = (£(F p ),G,P)as 

f(s) = (E(F p ),G,^P)), (46) 

where 

*(P) = <b { P)G and «P) = { J; 'il^f' (47) 

and 

»(*) = »S(F F ),C.o(i > )- ( 48 > 
Under conjecture 32, (/, /, 6) is a Blum-Micali pseudo-random bit generator. 

Proof. We prove the theorem by showing that the four sufficient conditions for a pseudo-random bit 
generator (section 4.4) are satisfied. Specifically, we show that b and / are friendship functions, / is a 
stable, 6 is accessible, and 6 is unapproximable. The proofs for each of these parts follow. 

7.2 Friendship 

Friendship is the easiest of the four parts to show. In particular, we simply prove 

Lemma 34 There is an algorithm that computes bf in the simple case in polynomial time. 

Proof. Let s = (£(F P ),G, P) be an instance. Using the definitions of / and b, we can write bf as 

bf(3] = { 1. if index E(Fp) , G (^(P)) > (p+ l)/2; f4Q) 
y ' lO, otherwise. k 

Since index^p ^(^(P)) = 0{P), substituting the definition of <f> leads to 

(• 1, ifP = 0; 

6/(3)= I 1, ifP = (x,7/)and</>(p+l)/2; (50) 
t, 0, otherwise. 

This is easily computed in time polynomial in n. ■ 



3 A data structure representing aji instance as would probably contain n, p, B, and the I- and jf-coordinates of G and P 
(or the special symbol "0"). We write (£(F P ),G, P) for convenience. 
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7.3 Stability 

We base this on two intermediate results. 

Lemma 35 4> is a bijection of E(T P ) and {0, . . .,p} in the simple case. 

Proof. By lemma 8 each point has a unique j/-coordinate. Therefore points are mapped to unique elements 
of{0,...,p}.. 

Lemma 36 ^ is a permutation of E(F P ) in the simple case. 
Proof. Since G generates E(F P ), the set 

{aG\0<a<p+l} (51) 

contains all points on the curve. Thus ip on input P generates E(F P ) based on 4>{P). Since ^ is a bijection 
into {0, . . . ,p}, the curve is completely generated, and i> is a permutation. % 

Lemma 37 (Stability) In the simple case, for each n, f is a permutation on /„. Further, there is an 
algorithm that computes / in polynomial time. 

Proof. The first part is true by definition of /, because t/> permutes E{F P ). The second part is true because 
computing / requires 0(\og4>(P)) = 0(n) group operations, which is polynomial in n. ■ 

7.4 Accessibility 

To show that the predicate b is accessible, we construct an algorithm and analyze it. The algorithm is 
probabilistic and produces elements of I n with uniform probability in polynomial expected time. The 
algorithm, called simple-accessibility, appears in figure 10. We prove two lemmas about this algorithm, 
thereby showing accessibility. 

We first recall the result of Bach [Bac83] also used in the Blum-Micali accessibility proof. (There it 
was used to produce p — 1 in factored form.) 

Lemma 38 (Bach, 1983) There is a probabilistic polynomial-time algorithm that takes as input n and 
outputs an integer of length n, together with its factorization. The integers are uniformly distributed. 

Lemma 39 Algorithm simple-accessibility produces elements x of /„ in the simple case with uniform 
probability. 

Proof. Since failure at steps 2-5 leads to "go to 1," it is sufficient to show that each step selects p, E, G, 
or P with uniform probability among the acceptable values for that component. Using Bach's algorithm 
all p + 1 are equally likely; thus, all primes p = 2 mod 3 are as well. Since all legal B are equally likely for 
a given p, all curves E are also. Algorithm cyclic-generating-test accepts all generators of E(F P ), because 
the factorization of p + 1 is known. Thus, since <j> is a bijection (lemma 35), generators G and points P are 
selected with equal likelihood. ■ 

Lemma 40 Algorithm simple-accessibility outputs an element x 6 I n in the simple case in polynomial (in 
n) expected time. 

Proof. The expected number of trials is O(nlogn), as follows. Step 1 always succeeds. By the prime 
number theorem, and assuming that half of all primes are congruent to 2 mod 3, the probability of success 
in step 2 is l/0(n). In step 3, finding a B has probability at least 1/2. In step 4, finding an a has 
probability at least 1/2; a generator, 1/O(logn), by lemma 3. In step 5, finding an a has probability at 
least 1/2. The probability of success in every step is l/0(nlogn), leading to the expected value given 
above. 

The running time for one trial is 0(n 6 ), as follows. Bach's algorithm runs in time 0(n 6 ). Testing 
primality is 0(n 4 ), using the technique of Solovay and Strassen [SS77]. Checking that G is a generator, with 
the factorization of p ~ 1 known, takes 0(n 2 ) group operations, or time 0(n 4 ), by lemma 18. Computing 
<t>~ 1 involves taking cube roots modulo p, which requires time 0(n 3 ). 

This leads to an expected running time of 0(n 7 log n), which is polynomial in n. * 
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7.5 Unapproximability 

Let A be some algorithm that computes 6 correctly with probability at least 1/2 + 1/Q(n) on elements of 
/„, and let T(n) be its running time. 

Lemma 41 There is a fraction l/2Q(n) of all curve-generator pairs (£(F P ), G), where p is an n-bit prime, 
such that algorithm A((£(F p ),G, •)) l/2Q(n)-approximates i>£(F p ),G,o(')- 

Proof. This follows from a counting argument. The main idea is that the probability is minimized when 
A is entirely correct on some curve-generator pairs, and nearly a l/2Q(n)-approximator on the rest. For 
every E(F P ) where p is an n-bit prime, we have 

2"- 1 + 1 < N p < 2 n . (52) 

If the curves in the curve-generator pairs on which A is correct contain the maximum number of elements, 
and the rest contain the minimum number, then we arrive at the stated probability. ■ 

Using algorithm A as the e-approximator, we can compute index(i) with algorithm simple-index (figure 
11). See figure 9 for algorithm compute-index. 

Lemma 42 (Unapproximability) The predicate 6 in the simple case is unapproximable. 

Proof. By theorem 23, algorithm simple-index computes the index correctly for the fraction of curve- 
generator pairs for which A is an l/2Q(n)-approximator in lemma 41. Furthermore, it does so in time 
polynomial in n, Q(n) and T(n). Suppose b is not unapproximable, and T(n) is a polynomial in n. Then 
the algorithm solves the elliptic logarithm problem in time polynomial in n for the l/2Q(ra) fraction. This 
contradicts conjecture 32, and therefore b is unapproximable. ■ 

8 General case of elliptic curves 

The pseudo-random bit generator for the general case is like that for the simple case, but we use a pair 
of elliptic curves to define the friendship function. The general case is described in detail in the author's 
dissertation. The following are the major differences between the general case and the simple case. 

• An instance of the general case is a tuple containing two elliptic curves, two generators for each, and 
a point which may be on either curve. The curves are related by a transformation called twisting. 
This construction is essential to the definition of the friendship function /. 

• The proof of accessibility requires a much more complicated algorithm than in the simple case. Two 
particular problems are that the group E(F P ) is not necessarily cyclic in the general case, and that 
the complete factorization of its order N p is not known. The problems are solved by using the 
Weil pairing (for which Miller has recently developed a polynomial-time algorithm [Mil85b]), and 
algorithm with-partial-Jactorization (section 5.2). 

• Since two elliptic curves are involved, the counting arguments involved in proving unapproximability 
are more difficult than in the simple case, though not unreasonable. 

9 Conclusion 

We propose several extensions to our research. 
9.1 Reduction from discrete logarithm 

The discrete logarithm problem stands on its own as a hard mathematical problem. Unlike quadratic 
residuosity and inverting RSA, it does not reduce easily to another hard problem, such as factoring. 
Whether it reduces to the elliptic logarithm problem is an interesting open problem. 
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9.2 Elliptic curves with factored order 

The results in the general case (section 8) depend on an algorithm to compute the partial factorization 
of the order of the group. While this is sufficient for the generation of pseudo-random bits, it would be 
more elegant to use a completely-factored order, as Blum and Micali do [BM84]. This would require an 
algorithm like Bach's [Bac83] to generate an elliptic curves together with the factorization of its order. 

• Is there a polynomial-time algorithm which, on input n, outputs an elliptic curve E(F P ) together 
with the factorization of its order, where E(F V ) is selected with uniform probability among all curves 
where p is an n-bit prime. 



9.3 Subexponential elliptic logarithm algorithm 

Adleman's algorithm for computing discrete logarithms [Adl79] was a breakthrough in 1979. Although 
Miller argues strongly for the ineffectiveness of techniques similar to Adleman's for computing elliptic 
logarithms [Mil85a], it may be possible to devise an alternative method. Ideally, this method would run 
in subexponential time. 

• Is there an algorithm that computes elliptic logarithms in subexponential time? 
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Figure 1: An elliptic curve, showing tangents and chords operation. 

Assume M is given. Algorithm computes small prime factors of an integer N. 

1. Initialize S <— {}. 

2. Run Lenstra's algorithm for time M to find a factor p. If no factor is found in this time, go to 4. 
3- Set $ ~- S U {p}, ff — N/p; go to 2. 

4. Return S. 

Figure 2: Algorithm small-factors. 

Suppose N = pj 1 • • p£', p,- prime, pi < p, +1 , a; > 0. Algorithm finds order of r in Abelian group G using complete 
factorization of AT. 

1. For each i, do step 2. 

2. Let 0i be the smallest integer such that {Npf'/pf^x = 0. 

3. Output pf' ■ ■ p£\ 

Figure 3: Algorithm with-complete-factorization. 

Suppose N = p" 1 • ■ pj'm, p,- prime, p,- < pj+i, Qj > 0, m not necessarily prime. Algorithm finds order of x in 
Abelian group G using partial factorization of N. 

1. For each »', do step 2. 

2. Let 0i be the smallest integer such that (Npf' /p"')x = 0. 

3. If (N/m)x = 0, then output p{ x ■ ■ ■pf'; else output pf' ■ • -pf'm. 

Figure 4: Algorithm with-partial-factorization. 

Suppose N is the order of G. Algorithm determines whether x generates Abelian group G. 

1. Use algorithm small-factors to compute a partial factorization of jV. 

2. Apply algorithm with-pariial-fadorizaiion to compute an approximation o to orderc(x). 

3. If o = N, output "yes"; else output "no." 

Figure 5: Algorithm cyclic-generating-test. 
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Figure 6: Correlation circle. 

Estimates Pi, £ (cy,x) for an integer c. 

1. Choose r, at random, 0 < r, < N, 0 < j < M . 

2. For each rj , compare 6,-(cj + r^j) to 6; £ (x + rjg). Set correct to the number of equal results. 

3. Return correci/M. 

Figure 7: Algorithm estimate-correlation. 

Given i, and assuming that index(2' +1 x) € [2 ,+1 a, 2' +1 6], determines in which interval index(2'x) lies. 

1. Let c the integer closest to (a + 6)/2, and compute £,,<(cj, r) using algorithm estimate-correlation. 

2. If the estimate is positive, then return (2'a, 2*4]; else return [2'a + N/2, 2*6 + N/2}. 

Figure 8: Algorithm decide-square-roots. 

1. Choose an interval [a, b] with 

0<"<b<a+^-Z< 

2. For ; trom n — 1 to 0, set y — 2^1 and use algorithm decide-square-roots to determine whether index(2'jr) is in 
[2*0,2*6] or [2*o + iV/2,2*6+iV/2], given index(2* +1 !/) 6 [2 ,+1 a, 2 ,+1 6]. In the former case, set [a,b] — [a/2,6/2]; 
in the latter, set [a, 6] — [a/2 + 7V/2* +1 , 6/2 + N/2' +1 ]. 

3. Let c be the integer in [2 ,+1 a, 2 ,+I 6]. If there is no integer, or if eg £ 2'x, then go to 2. 

4. Given that index(2'x) — c, test up to 2' integer values of the form 

— + k — , 
2- N 

0<k< 2*, to find index(r). 

Figure 9: Algorithm compute-index. 

Algorithm selects x € with uniform probability in polynomial expected time. 

1. Apply Bach's algorithm to produce p + 1 in factored form. If p + 1 = 2"" 1 , then let p = 2" — 1. 

2. Test that p is prime, and p = 2 mod 3. If not, go to 1. 

3. Guess an n-bit number B. If B = 0 or B > p, go to 1. The elliptic curve is £ : y 2 = x 3 + B. 

4. Guess an n-bit number a. If a > p, go to 1. Else let G = 4>~ l ( a )- Check that G generates E(F P ) using 
algorithm cyclic-generating-test (section 5.3). If not, go to 1. 

5. Guess an n-bit number a. If a > p, go to 1. Else let P = <j>~ l (o.) 

6. Output (£(F P ),G,P). 

Figure 10: Algorithm simple-accessibility. 
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Computes index^p^ a (P) for some (E(F P ), G). 

1. Run algorithm compute-index using algorithm A with fixed (B(F P ), G) as the approximator, to produce c. 

2. Output c. 

Figure 11: Algorithm simple-index. 
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ABSTRACT 

The focus of this note is the Goldwasser-Micali-Rivest Signature Scheme (presented 
in the 25th FOCS, 1984). The GMR scheme has the salient property that, unless factoring 
is easy, it is infeasible to forge any signature even through an adaptive chosen message 
attack. We present two technical contributions with respect to the GMR scheme: 

1) The GMR scheme can be made totally "memoryless": That is, the signature gen- 
erated by the signer on message M does not depend on the previous signed messages. 
(In the original scheme, the signature to a message depends on the number of mes- 
sages signed before.) 

S) The GMR scheme can be implemented almost as efficiently as the RSA: The original 
implementation of the GMR scheme based on factoring, can be speeded-up by a fac- 
tor of | N | . Thus, both signing and verifying take time 0 ( | N | 3 log 2 INI). (Here 
N is the moduli.) 

1. Introduction 

In 1984, Goldwasser, Micali and Rivest presented a signature scheme robust against 
adaptive chosen message attack [GMR]: no adversary who first receives signatures to mes- 
sages of his choice, can later create a signature of even a single additional message. The 
scheme uses two pairs of trapdoor permutations, and is proven to be secure (in the above 
sense) if these pairs have a certain clawfree property (i.e. it is infeasible to find x and y 
such that f o( x )—f i[y))- ^ was shown that the intracability assumption of factoring 
implies the clawfree condition, and thus a concrete factoring-based implementation was 
presented. 

Work done while author was in the Laboratory for Computer Science, MIT. 
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The original GMR scheme suffers from two aesthetic drawbacks: 

1) The signature scheme is not completely "memoryless". That is, the signature gen- 
erated by the signer slightly depends on the previous signed messages. 

2) The signing process in the suggested factoring-based implementation is too slow. Let 
n be the security parameter (i.e. the length of the moduli), then signing takes more 
than n* steps (as opposed to n 3 steps in the RSA). 

In this note we suggest a modification of the abstract GMR scheme, and a speed-up in its 
factoring-based implementation. These suggestions eliminate both drawbacks listed above, 
while maintaining the security of the original scheme. That is, the modified scheme is 
totally "memoryless", and its implementation using factoring is almost as fast as the RSA 
(while being much more secure than RSA!). 

The rest of this note is organized as follows. In section 2 we briefly review the GMR 
signature scheme. The reader is encourage to consult the original paper [GMR] for a more 
complete exposition of the GMR scheme. (This reference is also an excellent source for a 
critical review and a historical account of the problem of obtaining digital signatures.) In 
section 3, we present a modification which makes the GMR scheme "memoryless". In sec- 
tion 4, we present a speed-up in the factoring-based implementation of the GMR scheme. 
Our conclusions are presented in Section 5. 

2. Overview of the GMR Scheme 

The GMR scheme is basically a two-stage authentication process. First the signer's 
entry in the public file is used to authenticate a random point of reference (hereafter 
called REF). Next this REF is used to authenticate the message in a bit-by-bit manner. 
The same REF is never used to authenticate two different messages. The scheme utilizes 
two pairs of trapdoor clawfree permutations, denoted (/ 0l f x ) and (ff 0 jffi)- The / -pair is 
used for the first stage (authentication of the REF), while the 17 -pair is used for the second 
stage (authentication of the message). 

The REFs are generated from the public file by using a tree structure (hereafter 
called the REF tree). The same REF tree is used to sign all messages. The root of the 
REF tree contains part of the signer's (entry in the) public file. Each internal node in the 
REF tree has a constant number of children (say three). Leaves in the REF tree are used 
to authenticate messages (in the second stage of the signing process). It was originally pro- 
posed [GMR] that only the third node of each internal node be a leaf, while the other chil- 
dren be potential internal nodes. As we will see in the sequel, this particular tree structure 
(for the REF tree) is not essential. 

Authentication of the nodes in the REF tree is done successively: each node is 
authenticated by its father in the tree. A crucial detail in the GMR scheme is the manner 
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in which one REF authenticates its children. Each REF is partitioned into five parts: its 
"name" (denoted x ), the names of its children (denoted y^y^y^, and a "tag" (denoted 
t ) binding them all together. The tag is computed using the first pair of (trapdoor) claw- 
free permutations / 0 and / h through what is called an authentication step. 

Let F-\a,x )=/ " x [x ), for every a 6 {0,1}. Let F-\cxa,x }=F- l {a,f f (x )), for 
every a £ {0,1} and a E {0,1}* . 

Then the five parts of the REF satisfy t = : F' 1 (y 1 y 2 y^ , x). 

(The REF tree should not be confused with the tree-like nature of the authentication 
step.) 

The authentication of the message, in the second stage, consists of a single authentication 
step that uses the ^-pair. This authentication step binds the message m (to be signed) to 
a leaf in the REF tree. The tag t binding the leaf named x with the message m satisfies 
t =G~ l (m ,x ), where G _1 is defined analogously to F -1 based on the permutations g 0 and 
Si- 

To sign a new message, m , the signer identifies a leaf that was not used so far 
(named z). If no such leaf exists, the signer identifies an unused internal node named x 
(i.e. a node which is a potential internal node but has no children yet), randomly selects 
names for its children (y i,y 2>2/s)> computes a tag binding the children to their father (i.e. 
uses the trapdoor information to compute t =i r,_1 (j/ 1 y 2 y3 > x ))> stores the names of the 
children, and sets z=y z . The signer retrieves (or recomputes) the tags for all the authen- 
tication steps leading from the root of the REF tree to the leaf named z . (It is crucial 



that, in all signatures produced, the same names are used for the same nodes.) This com- 
pletes the first stage of the signing process. Next the signer uses the trapdoor information 
(for the pair g 0 and g x ) to compute the tag G'\m ,z). The signature consists of the list of 
all authentication steps mentioned above (corresponding to a path from the root to a leaf 
and an extra step authenticating the message by the leaf). 

To verify the validity of a signature, the verifier checks that the list corresponds to a 
path from the root to a leaf, and that all tags along this path are valid. To validate 
t =F' l {a,x ), the verifier computes F(a,t) and compares it to x . 

3. Making the GMR Scheme Memory less 

As hinted in the outline of the GMR scheme, the particular way of using the nodes in 
the REF tree is not essential to the scheme. In the original scheme, the nodes were used 
in a "greedy" manner so to minimize the length of the first signatures. The drawback in 
that suggestion is that it was required to remember the identity of the last node used for 
message authentication (i.e. to store the number of messages signed so far). Our aim is to 
eliminate the dependency of the next signature on the past. Thus, we suggest to use the 
REFs in the tree differently than in the original scheme. 
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Let n be the security parameter, and let &=(log 2 n) 2 . For message authentication 
(second stage), we will use only the REFs in the fcth level of the REF tree. In other 
words, the REF tree will be a full binary tree of depth it . The key idea is to use a ran- 
domly chosen (& -level) leaf in order to authenticate a new message. With very high proba- 
bility, we will never use the same leaf twice (in the second stage). This is the case since 
2* was chosen to be much larger than the number of messages to be ever signed. 

The last detail to be mentioned is that the names of the nodes in the REF tree 
should be generated using a pseudorandom function (applied to the location of the node), 
rather than randomly. This way, we guarantee that the same names are always used for 
the same nodes, without having to store these names. (The idea to use pseudorandom 
functions to eliminate this part of the storage requirement in the GMR scheme was sug- 
gested by Leonid Levin.) Assuming the existence of one-way permutations, pseudorandom 
functions can be efficiently constructed [GGM]. 

Proving that the modified signature scheme is as secure as the original scheme 
requires a two-step argument. First, one should consider a hybrid scheme where the 
names of the nodes in the REF tree are generated randomly as in the original scheme. The 
proof of security for this scheme is conceptionally identical to the proof presented in 
[GMR], and is only a little more involved in details. Next, one uses the polynomially 
indistinguishability of the pseudorandom functions (from random functions), to show that 
the proposed scheme is as secure as the hybrid scheme. 

Remark: the identity of the (k -level) leaf to be used can be computed by applying a 
pseudorandom function to the message to be signed. Thus, no coin tosses are required 
during the signing process. One can easily show that the security feature is preserved. 

4. Speeding-up the Singing Process in the Factoring Based Implementation 

The computational bottleneck in the signing/verifying process are, respectively, the 
computation of F _1 (-,-) given the trapdoor and the computation of F {■,■)■ In the 
factoring-based implementation presented in [GMR], F~ l (-,-) was computed in | N | 4 
steps, while F(-,-) was computed in | iV | 3 steps, where N is the modulus in use. In this 
section we show how to compute F" 1 in | N \ 3 steps. 

In the implementation based on factoring, N=pq is the product of two primes satis- 
fying p = q = 3 (mod 4) and p ^ q (mod 8). This way, each quadratic residue mod N 
has a unique square root which is a quadratic residue itself, and neither +2 nor -2 is a 
quadratic residue mod N . f 0 and / i are defined to be permutations over the set of qua- 
dratic residues mod N : 



f 0 (x) = x" (mod N) 



108 



and 

/ 1(3:) = 4-z 2 {mod N). 

Let sfx denote the square root of x which is a quadratic residue mod N. Thus, 
/ g 1 { x )=-/x~ and / f 1 {x )=y/x~/4. Note that -Ji 2 {mod N). This observation is the 
key for proving that, unless factoring is easy, the permutations / 0 and / 1 defined above 
constitute a pair of (trapdoor) clawfree permutations. For more details see [GMR]. 

Recall the definition of F'\a,x ) 

F"W 2 -^ , * ) = / ? x if al (-/ £ (* )-)) 

The obvious way to compute F~ 1 {a,x) is by successively taking square roots. This 
results in ©( | a | ) exponentiations. We present an alternative and faster way for comput- 
ing F~\a,x ). This way requires only a constant number of exponentiations, and is based 
on the following observation: 

Let m denote the length of a, and i{a) denote the integer naturally encoded by the 
string a. Let R N {2 m ,2) denote the 2 m th root of z modulo N (i.e. the quadratic 
residue obtained from z by repeating the v^" operator m times). Then 

F-\a,x) = R ^ 2m ' x \ {mod N) 
(i? JV (2 m ,4))'W 

(See example in the Appendix.) 

Computing R N {2 m ,z) reduces to computing it modulo each of the factors (i.e. computing 
R p {2 m ,z) and R t {2 m ,z) ) and applying the Chinese Reminder Theorem. Rather than 
computing R p {2 m ,z) by successive applications of n/~ we compute it by one exponentia- 
tion: 

(Pre)-compute, inv p (2)=(p +l)/4, the "inverse" of 2 modulo <j>{p )=p-l. 

(Note that R, {2,z)=z in "' [2) .) 
(Pre)-compute, inv p (2 m )={inv p (2)) m mod p-1, the "inverse" of 2 m modulo 4>{p ). 

Compute r p = z 1 ""'^ 2 ^ {mod p). 
(Clearly, r p =R p {2 m ,z ).) 
Thus, computing F' 1 reduces to a constant number of modular exponentiations. 



5. Conclusions 

Incorporating the two modifications into the GMR signature scheme, we get a scheme 
which is as secure as the original one, and is both "memoryless" and "practical". (It is 
important to note that assuming the intractability of factoring, pseudorandom functions 
/ can be implemented, and that evaluating / (/?) can be done in n 3 - | /? | steps. Also 
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note that the length of the argument to / is it —{log 2 n ) 2 .) 

The "dependency on the past" in the original GMR scheme has nothing to do with 
the resolution of the "Paradox" mentioned in [GMR]. The paradox is resolved by observ- 
ing that the adversary is uniform, while the real signer is "non-uniform". For further dis- 
cussion see [GMR]. 

Throughout this note, we have implicitly assumed that the length of the message to 
be signed is linear in the security parameter (n ). However, the GMR scheme works also if 
this is not the case, while the running time (naturally) increases. In case we are using the 
factoring-based implementation and the message has length m»n, the signing time 
increases by an additive term of 0(m -n) and the verification time increases by an addi- 
tive term of 0{tn-n*). A different approach suggested recently by Damgard is to first 
hash the message using collision free hash functions and then to sign the hashed value [D]. 
Interestingly, Damgard also shows that such hash functions can be constructed based on 
the existence of any pair of clawfree permutations. 
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APPENDIX 

Recall the definition of F~ 1 (a,x ) 

F-\w~*n ,x) = nt (/ al (•••/ ;) (* )•■•)) 

and 

/ o" 1 (x )=vT and / f 1 (x )=V^74, 
where \/F is the square root of 2 which is a quadratic residue modulo N . 
Let us consider the case where the length of a is 2. We get, 

F- 1 (00,x) = / 0 - 1 (/o- 1 ^)) = ^T = .l^L (mod N) 

2 , 



F-\0l , x) = / o 1 (/ f 1 (x)) = yRTjl = (rnod N) 

(K N [2 ,1)) 

F~\io , x ) = / f 1 (/ o 1 (* )) = = tI^St^ ^) 

(^(2 2 ,4)) 3 



^(11 , x ) = / f 1 (/ f 1 (x )) = vV^4/4 = ,„ N ; ' 3 (mod JV) 
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Abstract 

This paper proposes several public key systems which security is based on the 
tamperfreeness of a device instead of the computational complexity of a trapdoor one- 
way function. The first identity-based cryptosystem to protect privacy is presented. 

EXTENDED ABSTRACT 

1 Introduction 

We first give three main motives for this paper and overview the presented ideas. 

Since the invention of public-key systems by Dime and Hellman almost all public-key 
systems proposed were based on some computational hard problems (e.g. factoring). It 
was however shown that it is not easy to design a secure public-key system based on 
computational hard problems. Examples of failures are the Lu-Lee system, the Merkle- 
Hellman knapsack scheme (and others) and the Matsumoto-Imai scheme. If we remark 
that the McEliece scheme is not enough analysed to be used, there do not exist fast 
pnblic-key systems (the speed of RSA is today less than 64 kbit/sec). This is one of the 
main reasons to come up with other public-key systems. 

Bennett and Brassard remarked that it is not necessary to use computational com- 
plexity to design a public-key system. As an example they started from the uncertainty 
principle, which claims that some physical problems are very hard to solve (impossible 
to measure). Bennett and Brassard mentioned that their system would remain secure 
if NP=P and if factoring would be easy. However the cryptosystems they proposed are 
today impractical. One can conclude that a second reason for this paper is to design 
cryptosystems which are not based on the assumption that trapdoor one-way functions 
exist. 

The authenticity of the public key is a major problem in the set-up of a secure cryp- 
tosystem, certainly in the case of a large network. A nice solution was proposed by Shamir 
in 1984 called "identity-based cryptosystem". Instead of using the public key of the re- 
ceiver (to encrypt in order to protect the privacy of a message), the name of the receiver 
is used as public key. The secret key of each user was calculated by an authority at the 
start-up of the system. (It is not excluded that the authority destroys itself after the 
start-up of the system.) Public-key systems, identity-based cryptosystems and their key 
generation are systematically explained in Fig. 1. 

'This research was done while the author was aangesteld navorser XPWO at the Katholieke Urdversiteit 
Leuven 
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Figure 1: Key generation for pnblic-key and identity-based systems 
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Figure 2: A first implementation of a public- key system 
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In our paper we start from the assumptions that hard conventional systems exist and 
that it is possible to make tamperfree devices. Remark that the first assumption is based 
on the complexity of algorithms, but seems acceptable, certainly if one takes into con- 
sideration that it is much harder to build trapdoor one-way public-key systems than 
conventional ones. Without the second assumption a lot of. modern uses of cryptography 
would become unsecure. Indeed a secure system must be tamperfree otherwise an oppo- 
nent can simply steal the secret key used in the system. Several practical systems start 
from this second assumption. E.g., a software copyright protection system proposed by 
NPL becomes completely insecure if tamperfree devices can not be build. Remark too 
that each identification method is at least partially based on some tamperfree system or 
card (see also Section 5). 

Given two conventional cryptosystems and the existence of tamperfree implementa- 
tions we propose in our full paper several public-key systems, and the first identity-based 
cryptosystem to protect privacy. 

2 Public keys 

2.1 The basic idea 

Let us give an example of such a system. From now on we call E\ D', E" and D" the 
encryption and decryption of respectively the first and second conventional cryptosystems. 
Special cases use the algorithm DES in encryption mode for i?' and 2?" or decryption mode 
for D' and D". To obtain a public-key system three devices are used: an encryption 
device (corresponding to the operation E), a decryption device (corresponding to the 
operation D) and a system which generates the public key starting from the secret key 
(corresponding to the operation G). Each user of the system generates a secret key k. He 
obtains his corresponding public key K by applying G on i, or K = G(k). The device G 
is nothing but E" with a supersecret key s (which in the best case nobody knows). The 
device G is tamperfree so that it is hard to find the key s. In this example the supersecret 
key s is used in all devices G. 

2.2 Two implementations of such a public-key system 

We now discuss two implementations to obtain such a public-key system (see also Fig. 2 
and Fig. 3). 

In the first example (see also Fig. 2) the decryption device (D) uses the secret key. 
In fact here D is equal to D\ The encryption device (E) uses as a black box the public 
key K. The system E is build up using E , and D" . The box E is tamperfree. In the 
box E first D" is used to find k, or ife = D"(K) using the supersecret key s. This last 
calculation is done inside E, and no trace of this calculation and its result can leak out to 
the outside world. In other words because the device E is tamperfree it is hard to find k. 
The encryption of messages is done by E' using the key it. 

The described scheme can be used to protect, as a public-key system, the privacy and 
authenticity of messages as well to sign. To protect privacy the sender uses E with the 
public key of the receiver (although the receiver uses D with his secret key). Remark again 
that nevertheless the sender uses in fact the secret key of the sender, he cannot access it. 
To sign the sender uses D with his secret key (evidently redundancy is introduced in the 
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Figure 3: A second implementation of a public-key syst 



em 



enciyption device. (B) 




Seciet bey 



Figure 4: The first identity-based system to protect privacy 
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message). The receiver can check the signature (using the mentioned redundancy). The 
sender is the only one who could generate that signature. 

The second implementation has the advantage that each user in the system has the 
same tamperfree device for encryption as well as for decryption. Let us describe such a 
system in some words. For this paragraph, we refer to Fig. 3. Let (T) be the tamperfree 
device used in the system. As for the first system, each user i generates a secret key fc; 
and a corresponding public key K{. For that he uses the device G as already discussed. 
The device (T) contains E\ D\ D" and the supersecret key s as described in Fig. 3. To 
send an encrypted message to a user B, a user A uses the device (T) in mode encryption 
and applies his secret key k^. to the input x and the public key Kb of the user B to 
the input y. To decrypt this message the user B uses the device (T) in mode decryption 
and applies his secret key ks to the input x and the public key of the user A to the 
input y. In these two phases, the effective key in use is the same but is unknown to the 
two parties. There are many variants to this scheme with the possibility of a session key, 
a.s.o. Let us remark that using a symmetric cryptosystem (sometimes called conventional 
system) together with such a symmetric implementation (the devices are the same for the 
encryption and the decryption) leads to an asymmetric cryptosystem (sometimes called 
public-key system). 

3 Identity-based cryptosystem 

By modifying a little bit previous examples it is no longer necessary to use public keys (or 
the public key of somebody is equal to his name or identification). The key generation 
machine G now is modified. The system G now uses W (with the supersecret key a) and 
the input of G is the name (or a sufficient identification of the person to be unique), the 
output is the secret key of the user (see also Fig. 4). In order to avoid frauds the uses of 
G are controlled by an authority. Each user can use G only once, and is only allowed to 
give as input something that corresponds with his identification (birth day, name of his 
father, name of company, ...). This is a first advantage because it avoids in large networks 
the authentication of the public key. This technique gives a first solution to a problem 
open by Adi Shamir, to propose an identity-based cryptosystem to protect privacy. 

4 Security 

In this section only necessary conditions in order to obtain a secure implementation are 
discussed. Sufficient conditions are still under research. 

The system E" has to be a secure cryptosystem such that all attacks fail in finding 
s by cryptanalytic methods. Therefore it is necessary that E" is secure e.g. against an 
adaptive chosen text attack. The reader could wonder how an adaptive chosen text attack 
could be set up, certainly if an authority limits the use of the device G (as in the case of 
identity-based cryptosystem). The answer is that the adaptive aspect can be obtained if 
several users (which have e.g. special names) collaborate. 

Evidently the cryptosystems E\ D' and D" have also to be secure cryptosystems. 

Another necessary condition is that the system may not have (or use) weak keys (a 
term introduced by Davies related to weak keys in DES) or similar weaknesses. Using 
a weak key there is no difference between an encryption and a decryption operation. 
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Indeed an asymmetry is required to obtain public-key systems. If not, this implies that 
everybody can generate signatures of an opponent using Ms public key, because E' will - 
in fact internally use the secret key of the opponent and for weak keys this E' operation 
is the same as the Z>' operation. In general in order to protect signatures (with the 
described scheme) it must be hard to generate outputs of £>' starting from outputs of 
E\ So semi-weak keys are also dangerous. The same remark holds for the protection of 
privacy. Otherwise everybody could decrypt message send to Bob, using Bob's public key 
for a similar reason. 

5 Advantages, disadvantages and other aspects 

A major advantage of the discussed systems is the speed. Using DES (and dropping weak 
keys) much faster public-key systems can be made. An important disadvantage of the 
system is that everybody who knows s can attack all users! However in some cases such a 
property is desired (by the authority), as in the case of communications between persons 
of a same company (e.g. a bank). In this context we remark that the key distribution 
problem in some large companies (when a normal conventional system is used), can be 
hard to solve. 

Remark also that in previous discussions one can e.g. replace the supersecret key s, 
by some secret function. In the discussed example E\ D\ E" and D" are public known 
conventional algorithms. It is trivial to understand that the same holds if E\ D\ E" 
and D" are secret. In other words if some organization promotes secret algorithms, key 
distribution centers can be avoided and one can use the described public-key method. 
Indeed in order to maintain the secrecy of the used secret algorithms, the devices must 
be at least tamperfree. 

Finally one can question that the described system is really a public-key system. To 
solve this problem one can use the well known Turing test. Suppose DES and RSA are 
used (to be mathematically correct n DESes are used with n different keys), is it then 
possible to find in polynomial time (as function of n) if DES or RSA is used? It is well 
known that the answer is yes, using the Jacobi symbol in a known plaintext attack. In 
a secure implementation of RSA and DES it must be hard to make a difference between 
real random and the ciphertext in polynomial time. As a consequence if DES (in such 
public-key system) and RSA are used in a secure implementation, no difference can be 
observed in polynomial time. 

Remark that in a part of our paper on the importance of good key scheduling schemes 
(1985, CRYPTO '85), we did not obtain a real public-key system as we do here, moreover, 
some of our assumptions there are the opposite of some assumptions here. 

It is not too hard to find better schemes which satisfy some desired properties, some 
of these other schemes are still under research. For instance, in the context of tamperfree 
devices, it is possible to design claw-free functions with conventional cryptoalgorithms 
and thus to have very fast algorithms to sign documents (Rivest, Goldwasser, Micali, 
Goldreich). 

Another advantage is that the above idea of identity-based cryptosystem can be used 
in a protocol in order to protect passports. Let us again start from the assumption that 
tamperfree devices and that conventional cryptosystems exist, where the decryption op- 
eration can not be obtained by applying polynomially the encryption operation. Remark 
that the assumption oft&mpeiiree devices is also necessary in Shamir's piotocol (presented 
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at the same conference). Indeed if an owner of a passport is able to find Ms corresponding 
secret (the square roots in Shamir's protocol), there is no protection against cloning. For 
very busy businessman or consultants or researchers it can be an important advantage 
to clone themselves, in order that the cloned one handles the public relation and other 
aspects, for which the original persons are too busy. If a difference has to be made be- 
tween the identity of the person and his cloned version, the person himself is not allowed 
to know the secret corresponding with his secret. So tamperfree devices are necessary. 

Our identification protocol is very similar to the one of Shamir, except that a different 
type of algorithm is used and that the country that is visited generates the random. Again 
we use the identity-based cryptosystem to protect signatures. Each country (e.g. Israel) 
distributes to other countries the E devices, containing their supersecret s. During use, a 
visitor (e.g. Alice) tells the officials her nationality (e.g. Israelian) and her identity. The 
country which she visits (e.g. Belgium) then uses the tamperfree device obtained from 
Israel and the name (identity) of Alice is used as key by that country (e.g. Belgium). 
Belgium generates then some random t and gives E(t) to Alice. If Alice knows her secret 
key (obtained from her country: Israel), she is able to decrypt it and obtain t, which she 
gives to Belgium. If both t's match Belgium accepts Alice identity. The disadvantage of 
this system is that 200 different kinds of machines are necessary (each for each country). 
The advantage is that each country relies on their own technology to avoid false passports 
made by other countries. A proof for the security of the discussed protocol is still under 
research. 

6 Open Problems 

A main open problem is to find an identity-based cryptosystem which protects privacy 
and which security is not based on the assumption of the existence of tamperfree devices. 

Another open problem is to overcome the problem of the supersecret key s, mentioned 
in Section 5. Does there exist an identity-based cryptosystem to protect privacy which 
security is based on tamperfree devices and computational complexity and which use 
different supersecret s for different users. In other words that system would remain secure 
if the computational problem is solved, but the tamperfreeness is still valid, or if the 
reverse situation happened. 

The authors have the impression that both mentioned open problems are strongly 
related. 

Remarks 

Other works, more or less related to this one, were made by M. E. Smid, R. E. Lennon, 
S. M. Matyas and C. H. Meyer, H. Beker and M. Walker. 
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Abstract- A multi-party cryptographic protocol and a proof of its security are presented. The 
protocol is based on RSA using a one-way-function. Its participants are individuals and organi- 
zations, which are not assumed to trust each other. The protocol implements a "credential 
mechanism", which is used to transfer personal information about individuals from one organiza- 
tion to another, while allowing individuals to retain substantial control over such transfers. 

It is proved that the privacy of individuals is protected in a way that is optimal against 
cooperation of all organizations, even if the organizations have infinite computational resources. 
We introduce a "formal credential mechanism", based on an "ideal RSA cryptosystem". It 
allows individuals a chance of successful cheating that is proved to be exponentially small in the 
amount of computation required. The new proof techniques used are based on probability theory 
and number theory and may be of more general applicability. 

1. INTRODUCTION 

The aim of this paper is to present in a formal way, and to prove the desired properties of, a 

multi-party cryptographic protocol called a "credential mechanism" that was introduced in 

[Ch 85]. In this section, the protocol is re-introduced and then an overview of the paper is given. 

1.1. Credential mechanisms 

A credential mechanism is a cryptographic protocol that provides for transfers of information 
about individuals between organizations. The information about individuals transferred will con- 
sist of credentials belonging to some fixed set. If individuals identify themselves to each organiza- 
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tion essentially uniquely, such as by their name, date of birth, or some universal identification 
number, then credentials about an individual can be transferred between organizations without 
control by that individual. To give individuals control over such transfers, the credential 
mechanism allows individuals to use different pseudonyms with different organizations. Different 
individuals use different pseudonyms. Organizations have no more identifying information about 
individuals than these pseudonyms, and thus, from the point of view of the organizations, creden- 
tials can be linked to pseudonyms rather than to individuals. 

When information about an individual is to be sent from one organization to another, the 
first organization issues a certificate, called a "credential on a pseudonym", to the individual, 
showing that a particular credential applies to his pseudonym used with that organization; then 
the individual transforms this certificate into "the same credential on a (second) pseudonym" 
used with the second organization; and finally the individual shows this credential on the second 
pseudonym to the second organization. 

The following is a precise description of the properties of the pseudonyms and credentials 
of the credential mechanism: 

Property 1. The set of pseudonyms can be partitioned in two ways: into I-sets each containing 
the pseudonyms used by an individual and into O-sets each containing the pseudonyms known to 
an organization. 

Property 2. Each I-set and each O-set have at most one pseudonym in common. 

Property 3. For any individual, it is easy to compute a credential on a pseudonym if some organi- 
zation has issued the same credential on a pseudonym belonging to the same I-set; otherwise 
computing that credential on that pseudonym is infeasible for that individual (unforgeability). 

Property 4. The credential mechanism does not reveal any information to even cooperating 
organizations about how the pseudonyms are partitioned into I-sets (unlinkabihty). 

By these properties, a credential mechanism guarantees each individual that different organ- 
izations (possibly by cooperation with other organizations and some other individuals) can never 
link the information they have about him. For an organization can only link the information 
about that individual to his pseudonym used with that organization; and by property 4 the 
credential mechanism does not reveal to the organizations which pseudonyms belong to which 
individual. A credential mechanism also protects each organization against individuals trying to 
convince it that certain credentials apply to them while this is in fact not true. This is so since by 
property 3, no individual is able to compute a credential on one of his pseudonyms if he did not 
previously get that credential on one of his other pseudonyms. Property 2 also protects organiza- 
tions by, for example, preventing a credential issued by one organization on some pseudonym 
from being transformed into a credential on more than one pseudonym used with any particular 
organization. 

To achieve properties 1-3, both pseudonyms and credentials on pseudonyms must be con- 
structed in a special way. The credential mechanism must ensure that individuals construct their 
pseudonyms in this way. But, because of property 4, individuals cannot be required to show 
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organizations how they have constructed their pseudonyms. Therefore, credential mechanisms 
include a validating part which is a protocol, by which individuals convince the organizations that 
they have constructed their pseudonyms correctly without revealing how they have done so. 

1 .2. Overview of the paper 

In §2 we introduce some formalism about protocols and attacks on protocols (these are ways by 
which some of the participants of the protocol, possibly by cooperating, violate the rules of a pro- 
tocol) which will serve as a mathematical framework in which properties of the credential 
mechanism can be stated and proved. 

In §3 we describe a credential mechanism based on RSA with a single composite modulus 
N. The validating part is based on a "one-way" function, and all credentials on pseudonyms are 
RSA-signatures. Since only one modulus is used, and since it is not assumed that all organiza- 
tions trust each other, a special organization participates in the credential mechanism, called a 
"signature authority", which is the only organization that has to know the factorization of N used 
in making signatures. The signature authority is trusted by the other organizations— but not by 
the individuals — and is willing to provide suitable signatures requested by organizations. The sig- 
nature authority also participates in the validating part. In §§3.1-3.4 an overview of the creden- 
tial mechanism is given which can be read independently of §2. In §3.5 the credential mechan- 
ism is described by means of the formalism introduced in §2. 

In §4 we prove that property 4 (the urdinkability of the pseudonyms) holds for the creden- 
tial mechanism as described in §3.5 in the following respect: all information revealed by the 
credential mechanism about how the pseudonyms are partitioned into I-sets is already revealed 
by the moments that pseudonyms, credentials, etc. are issued by or shown to an organization. It 
is argued that this kind of information is revealed by any credential mechanism, so that our 
credential mechanism offers optimal unlinkability. 

In §5 we introduce the "formal credential mechanism". This mechanism is equivalent to 
the actual credential mechanism, except that it is based on an "ideal" RSA cryptosystem and an 
"ideal" one-way function. It is possible to establish a correspondence between messages in "ideal 
RSA" and messages in "real RSA" by means of a multiplicative homomorphism. Our formal 
credential mechanism is endowed with a computational model which precisely describes which 
"computations" each participant of the credential mechanism can perform. Thus our model of a 
formal credential mechanism can be compared with that used for RSA based ping-pong protocols 
in [EGS 85]. 

In §6 we state the main theorem about the formal credential mechanism: that in each possi- 
ble attack on the formal credential mechanism, the probability that individuals will agree with the 
organizations about the use of pseudonyms which do not have properties 1, 2 and 3, has an 
upper bound which is an exponentially decreasing function of the number of computations done 
in the validating part. In §6 we also give an example of an attack by which individuals could try 
to agree with organizations about the use of pseudonyms in the formal credential mechanism 



121 



which do not satisfy properties 1, 2 and 3 mentioned in §1.1. With this attack we show that the 
upper bound given in the theorem cannot essentially be improved. 

In §7, we prove the theorem mentioned in §6. Unlike the ping-pong protocols of [EGS 85], 
our formal credential mechanism models a protocol in which RSA is used with only a single 
modulus, but with different encryption and decryption exponents. Therefore our method of 
proof is entirely different from theirs. §§5-7 can be read independently of §4. 

The reason that we prove properties 1, 2 and 3 for the formal credential mechanism instead 
of the actual credential mechanism, is that the following seems likely: for a proper choice of the 
composite modulus and the one-way function, it is computationally infeasible for an individual to 
agree with an organization about the use of a pseudonym, if that individual is not able to agree 
with the organization about the use of the corresponding pseudonym in the formal credential 
mechanism. An investigation of the correctness of this statement is beyond the scope of this 
paper. 

In §8 we mention a few extensions of the credential mechanism. 



2. PROTOCOLS AND ATTACKS 

For the analysis of the credential mechanism provided in this paper, it is necessary to make clear 
what is meant by notions like "protocols" or "attacks on protocols". In this section we give 
definitions of these notions which are modifications of those of DeMillo, Lynch and Merritt 
[DLM 82]. As noted before, this section need not be read before §§3.1-3.4 in which the creden- 
tial mechanism is introduced. 



2.1. Some probability theory 

In the sequel we need some discrete probability theory which is introduced here. 

We fix an enumerable set J2 = {««>i,«2, ■ ■ • }. To each to, in £2 we attach a real number 
iV[<o,] in the closed interval [0, 1] such that 



/ = i 

Subsets of are called events. The probability of event &, denoted by Pr[&], is given by 

The conditional probability of event &, given event ©, is defined by 
Pr[& n $ ] 
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if Pr[S ]=j£0 and is not defined otherwise. When stating results involving conditional probabilities 
we always assume that these are defined, without explicitly mentioning this. U &\, . . . ,& r are 
events with Pr[&2 (~) ' ' ' Pi Q-rW^, then we have the elementary equality: 

r-l 

M&in ••• n«r-ii«,]=n^[ fi ii s «-+in ••■ n s r]. (i) 

1=1 

A stochastic variable can be any function from 12 to any arbitrary set. Obviously, a stochas- 
tic variable can assume only finitely or enumerably many values. For each value x of the sto- 
chastic variable X, we put Pr[X =x]=Pr[X~ l (x)], where X~ l (x)= {uSQ: X(u)=x}. More 
generally, if X\, . . . , X, are stochastic variables with values X], . . . ,x,, respectively, we put 

Pr[X l =x u ■ ■ ■ ,*,=*,] = Pr[Xi l (xi)C\ ' ' ■ C\ x r l (x t )]. 

If confusion is not likely to arise, we shall abbreviate Pr[X \ —x\, . . . , X, = x t ] by Pr[x i, . . . ,x,]. 
We say that a stochastic variable X is uniformly distributed over a finite set T if 
Pr[X —y] = (# T)~ l for each y in T, where as usual, #T denotes the cardinality of T. A sto- 
chastic variable X is said to be independent of the stochastic variables Y j , . . . , Y r if for all values 
x,y\, . . . ,y r of X, Y\, . . . , Y r , respectively, we have Pr[x,y\, ■ . . ,y r ] — Pr[x]Pr\y\, . . . ,y r \. 

Let X:Sl^%x and F:J2— be stochastic variables and let F'.'Xx- be a function. 
We write Y-F(X) if Pr[{uGQ : Y(w)^F(X(u))}] = 0. Obviously, if Pr[X=x&0 then 
Pr{Y-y\ X-x]= \ if y -Fix) and 0 otherwise. 

We denote the set-theoretic difference of the sets A and B by A \ B. For any set A, we 
denote by F(A) the collection of finite subsets of A and by F + (A) the collection of finite ordered 
tuples with entries in A. Both the empty set and the empty tuple are denoted by 0. 

2.2. Protocols 

Informally speaking, a protocol is a description of a stochastic process in which participants, 
belonging to a finite set of participants P, transmit messages between each other which belong to a 
finite or enumerable message space M. The time in this stochastic process will be an enumerable 
set of moments, T= (0,1,2. • • • }. 

The elements of the set M X P X P are named steps. We shall often denote steps {m, a,B) by 
a—*B : m ("a sends m to B") if a^B, and a: m ("a generates m") if a — B. 

Let X=MXPXP X T. For any subset / of X (including X itself) and subsets A,B of P and 
U of T, we put 

y(A,B,U) = y f~](M XA XB X [I) . 

Thus y(A,B, U) describes a set of steps in which a participant of A sends a message to a partici- 
pant in B (or a participant in A generates a message if ^4 f~] 5#0) during U. For convenience 



123 



we shall often abbreviate {a} by a and P \ {a} by P a for a£P, while the subsets {/}, 

{0, . . . ,t - 1}, {0, . . . ,t}, and {1,2, • • • } of T are for convenience written as t, <t, <r, and 

t >0, respectively. 

A stochastic subset of X will be a mapping from Q to the collection of subsets of X. If Y is 
such a stochastic subset, then we define Y(A,B, U) by Y(A,B, UX«) = Y{ui)(A,B, U) for A,B CP 
and t/cr. Thus iiy is a value of Y, theay(A,B,U) is the corresponding value of Y(A,B,U). 

Definition 1. A protocol 9 is a tuple (P,M, p a :aGP), where P is the (finite) set of participants 
of 9, M is the (finite or enumerable) message space of 9 and p a is the choice for a. 
A choice for a is a collection of functions {p al :t>0} such that 

Pa,, : X(a,P,<t)XX(P a ,a,<t)XF(X(a,P,t))^[0,\] , 

2 P«,<(x,y,s) =1 for all x EX(a,P, <t), y eX(P a ,a,<t) . & 

Thus a protocol can be considered as a collection of rules according to which communication 
between participants takes place. The actual communication is described in the execution process: 

Definition 2. The execution process of the protocol <? =(P,M,p a : aSP) is a stochastic subset 
S=S 9 of X=MXPXPXT such that 

(i) for every t GT, the values of S(P,P,t) are finite sets; 

(ii) Pr[S(P,P,O)=0]=l; 

(iii) for each value s of S and a6f, (GTwe have 

Pr[s(a,P,t) \s(a,P, <t),s (P a ,P,<t)] 

=Pr[s(a,P,t)\s(a,P,<t),s(P a ,a,<t)] =p a:! (s(a,P,<t),s(P a ,a,<t\s(ct,P,t)) , 

where p a — {p a t :t >0} is the choice for a. 

Values of the execution process are called executions. If s is an execution and 
(m,a,B,t)(=s(a,B,t) then we say that during execution s, (m,a,B) is executed by a at moment t, 
and that m is sent by a and received by /} at moment t if a#/? and generated by a at moment t if 

Each choice p a — {p^'-t >0} for a can be considered as a stochastic system (for instance, a 
mathematical object like a probabilistic Turing machine or a physical object like a computer net- 
work) which outputs s at moment t with probability p aJ (x,y,s) after it has been given input / and 
after it has given output x before moment t. The execution process describes the communication 
between these systems. 

(i) states that at each moment, a participant executes only a finite number of steps, (ii) 
states that at moment 0, "nothing" has happened, (iii) states that whatever a participant does at 
moment t may depend on all messages which it sent or received before moment t, but is not 
influenced by the messages which it did not send or receive. 

It might be possible that for some aEP and / BT, S(a,P,t) assumes the empty set. In that 
case a does "nothing" at moment t. Protocols with a finite running time, / 0 , say, can be 
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considered as protocols for which Pr[S(P,P, {t ST:t >t 0 })- 0]-\. 

Our model differs from that of DeMillo, Lynch and Merritt [DLM 82] in that it satisfies the 
following assumptions: 

• each message arrives at the same moment that it is sent, and at the same receiver to which 
the sender wanted to send its message; 

• participant y can find out no more about the communication between a and /? than what 
he learns about this from his communication with a and /}; in other words, the communica- 
tion channel between a and /? does not "leak"; 

• the sender and receiver know each others identity. 

However, situations in which these assumptions are not valid, can be considered in our 
model by adding new participants. For instance, weaknesses in a computer network, causing 
messages to arrive too late or even at the wrong place, or leaking communication channels can be 
described in our model by considering the computer network or the communication channels as 
participants of the protocol. (Partial) sender- or recipient-anonymity can be dealt with in our 
model by giving each participant a number of representatives. The representatives communicate 
with each other and know each other's identities, and each participant communicates with its 
representatives. Apart from its own representatives, no participant has a priori knowledge about 
which representatives belong to which participant, and he might find out something about the 
relationship between the participants and representatives only from the messages which he 
receives during an execution of the protocol. 

From any protocol 9 = {P,M, p a :a€.P) it is possible to construct a new one, by dividing 
the participants into pairwise disjoint sets, and considering these sets as participants. Let Q be a 
partition of P, i.e. a collection of pairwise disjoint sets of which the union equals P. Using (1) 
and (3) it is possible to show that for each A in Q and each execution s of <? , 

Pr[s(A,P \A,t) \s(A,P \A, <t),s(P \A,P, 

= Pr[s(A,P\A,t)\s(A,P\A, <!),s(P \A,A, <t)} (4) 
= :p A ,,(s(A,P\A, <t),s(P\A,A, <t),s(A,P \A,t)) . 

Thus <3" = { Q, M, Pa -A E Q } can be considered as a protocol in which p A = {p A , : f > 0 } is the 
choice for A. 

2.3. Attacks 

In this subsection we consider attacks on protocols. If p a — {p a , t '-t >0} and p' a = [p' a ,i'.t >0} are 
two choices for a then p a ^=p' a means that for at least one r, the functions p a >t and p' a , are 
different. 

Definition 3. Let ?P =(P,M, p a :a EP) be a protocol and J a (possibly empty) subset of P. An 
attack by J on <3> is a protocol 9' = (P,M,p' a :aEP) such that 
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Pa¥=p' a for a £7 , p a =p' a for «£?V . 
We say that the participants in J are cheating. 

Thus an attack can be interpreted as a violation of the rules of a protocol by some of the partici- 
pants. 

By considering computer networks or communication channels as participants, it is possible 
to describe attacks such as passive or active eavesdropping, or redirection of messages. By using 
representatives, as introduced in the previous subsection, our model allows attacks to be 
described in which some participant pretends to be somebody else. 

In the security analysis of protocols, it is important to know whether non-cheating partici- 
pants are able to find out if other participants are cheating. Below, a precise definition of detec- 
tion of an attack is given. 

Definition 4. Let 9 = (P,M, p a :aEP) be a protocol, J a subset of P and 9' an attack by J on 
9. Denote by S<$ ,S<?' the execution processes of 9 and 9', respectively, and let s be an execu- 
tion of 9'. We say that aEP\J can detect 9 ' during s if 

Pr[S 9 (P a ,<x,T)=s(P a ,a,T)] = 0 , 
whereas 

Pr[S9-{Pa,a,T)=s(P a ,a,T)]>0. 

One possible way by which a may detect an attack on the protocol 9 is when at some moment t 
he receives messages from a participant j8 which are not allowed for 9 . By this we mean that, 
given the communication between a and y3 before moment t, a received messages from /} at 
moment t which he could not have received with positive probability during an execution of 9 . 
(This need not imply that 0 is cheating). We now express this by means of the terminology 
introduced above. Let S$ denote the execution process of 9, and let s be an execution of (an 
attack on) 9. Thus s(a,p,<t) and s(fi,a,<t) describe the communication between a and /$ 
before moment during s. Then the messages sent from £ to a at moment t during execution s 
are allowed for 9 if 

Pr[S<?(fi,a,t)=s(0,a,t)\S 9 (0,a,<t)=s(P,a,<t) , S$(a,P,<t)=s(a,p,<t)] >0 . (5) 

In the situation that we are dealing with cryptographic protocols, participants often have 
limited computational abilities and therefore limited possibilities to cheat. To incorporate this in 
our model we assume that each participant a of some protocol 9 has a coEection of choices S„, 
each element of which satisfies (2). Then each attack 9'=(P,M, p' a :aEP) on 9 must satisfy 



p' a e.G a for a£P 



(6) 
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3. DESCRIPTION OF THE CREDENTIAL MECHANISM 

In §3.1 we explain the main idea behind the credential mechanism. §3.2 contains a more detailed 
overview of the credential mechanism. In §3.3 we give a concise description of the credential 
mechanism by means of a convenient protocol language. This description of the credential 
mechanism will be referred to throughout the paper. §3.4 contains additional comments on the 
credential mechanism. §§3.1-3.4 can be read independently of §2. Finally, in §3.5 we describe a 
mathematical model for the credential mechanism by means of the formalism introduced in §2. 
There, all the notions introduced in §§3.2-3.4 will be given a precise mathematical meaning. 

r 

3.1 . Main idea behind the credential mechanism 

Our credential mechanism is a cryptographic protocol based on RSA used with a single compo- 
site modulus N. The participants of the credential mechanism are individuals and organizations. 
JV is public, i.e. known to all participants of the credential mechanism; only one special organiza- 
tion in the credential mechanism, the "signature authority" Z, knows how to factor N. The mes- 
sages transmitted in the credential mechanism belong to Zjv, which is the multiplicative group of 
all residue classes modulo N containing integers coprime with N. The order of z's is as usual 
denoted by «iV). Only Z has the ability to compute RSA-signatures on these messages. An 
RSA-signature on message m is a message m c mod JV, where c is a public integer coprime with 
<t>(N), and c is an integer with cc=\ mod $(N), which is known only to Z. The credentials will 
be public positive integers coprime with <f>(JV), belonging to a finite set C. The product of all ele- 
ments of C is denoted by b. 

Suppose i is an individual participating in the credential mechanism. The pseudonyms used 
by i are formed as follows: first i gets a number u from Z which i uses as a pseudonym with Z; 
then / generates, for each organization A participating in the credential mechanism, a random 
number r A from Z^. Then / uses as pseudonym with A the number u A =ur A mod JV, where b is 
the product of all credentials. For the organizations, these pseudonyms just look like random 
numbers in l' N ; this prevents different organizations from linking the pseudonyms used by the 
same individual. 

A credential c£C, applying to individual /, can be sent from organization A to organiza- 
tion B as follows: 

• A asks Z to compute d A =u A mod JV for him. After A receives this he sends d A to i. i 
checks if A sent him the correct message by verifying that cf A ^u A mod JV. 

• /' computes d B =u% by first dividing d A by r b A /c and then multiplying with r\ /c . (Note 
that the exponent b / c is the product of all credentials except c so that i can compute it). 

• i sends d B to B and B verifies that d%=UB mod JV. 

Individuals should never be able to show a credential to some organization if they did not 
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get this credential before from another organization. Individuals might be able to compute 
credentials themselves, without having gotten them from some organization, if they have the free- 
dom to construct their pseudonyms u A in another way than described above. If for instance i 
can use «B=r| mod N as a pseudonym with B instead of ur b B mod N, then he can compute each 
credential u% mod N by himself. Moreover, if two individuals i and /' use pseudonyms ug and 
u B '=UBr b * mod N with B, where r is chosen by both individuals, then maybe (' needs to get a 
credential from some other organization before he can compute one for B; but once i is able to 
show a credential to B, i' is able to show the same credential to B, without having gotten it from 
some other organization. 

To avoid the problems just mentioned, we extended our credential mechanism with a vali- 
dating part, which forces individuals to form their pseudonyms u A in the way described above, 
but does not require individuals to reveal more about how they have actually constructed their 
pseudonyms. In the validating part for pseudonym u A , / sends messages to Z, which are con- 
structed in a special way, by means of a one-way function. These messages are candidates for 
building blocks of a validator, to be issued by Z to i later on. Then Z selects at random half of 
these candidates, and asks i to show how he actually constructed these. If /' constructed these 
properly, then Z computes the validator from the candidates of which i did not reveal the con- 
struction, and submits this validator to /. Because there is an RSA-signature in the validator, / 
could not have computed the validator by himself. Later, i transforms this validator into another 
validator which is shown to A together with pseudonym u A . There must be a special relationship 
between u A and this validator which is checked by A. If this relationship holds, A accepts u A as 
a pseudonym. Z also checks this relationship, to make sure that later he does not issue creden- 
tials on improperly formed pseudonyms. 

3.2. Overview of the credential mechanism 

In the actual credential mechanism, it does not make a difference whether some individual com- 
municates with some organization, thereby identifying himself with a pseudonym, or some 
representative of this individual communicates with that organization and identifies himself with 
that pseudonym. In our description of the credential mechanism, we shall assume that communi- 
cation takes place between organizations and representatives. Thus the participants in the 
credential mechanism will be the signature authority Z, the organizations A\, . . . ,A L , the indivi- 
duals / 1, . . . ,i R and the individuals' representatives, where no representative represents more 
than one individual and each individual has different representatives for the communication with 
different organizations. 

Initialization. The notation introduced here will be used throughout the remainder of this 
paper and will not be re-introduced later. Before the actual credential mechanism starts, Z 
chooses two large primes P and Q and keeps these secret. Then Z makes the modulus N = PQ 
public. After that, Z makes public: 

a set C = {c\, . . . ,c K } of positive integers, to be used as credentials; 
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pairs of primes (p\,qi), . . . ,(pl*<]l) use <3 to make validators for A \ Al, respectively; 

an even integer n >4, the security parameter, which determines the amount of work done in the 
validating part; 

a positive integer a, elements m\, ... ,m n oil's and a "one-way function" f:Z N -+ls, which are 
all used in the validating part. 

It is assumed that the numbers <j>(N), a, p x , . . . ,p L , q\, . . . ,qi,c\, ■ ■ ■ ,Cg axe pairwise 
coprime, and that p \ , . . . ,p L ,q x , . . . ,q L are larger than Vin. (This last condition is just a techn- 
ical one, needed later in some of our arguments). We put bj=pjc\ ■ ■ ■ eg for y = 1, . . . ,L. We 
shall not specify /. We assume that / is "close to random" and has at least the properties that 
anybody can easily compute it and that it is not a homomorphism and not invertible by any par- 
ticipant of the credential mechanism (possibly apart from Z). -(One could take 
/(jc)=x' r ' + 1 mod N for certain prime numbers tt\ and iti or another polynomial which is 
not a power of a linear polynomial. But we do not know if such a choice for / is good enough). 
All computations, relations etc. in the credential mechanism will be modulo N, and therefore the 
suffix "mod 2V" will be omitted. If b is a public number, used for exponentiation in RSA then 
the corresponding secret exponent, known only to Z, is denoted by b. Thus M>=1 mod <f>(N). In 
general, all expressions in exponents without a bar will be integers computable by all participants 
of the credential mechanism, while only Z is able to compute exponents with a bar. 

Below we give an overview of the whole credential mechanism. It is built up from subproto- 
cols (i.e. collections of steps to be executed in the credential mechanism) which are indicated by 
roman digits and the individual or representative, organization and credential involved. We 
describe that part of the credential mechanism in which i k is involved. The representative of i k 
communicating with Aj is denoted by gj. 

In most of the subprotocols, some participant checks if the messages which it received 
satisfy some special relationship. The check results in 'true' if this relationship holds, and 'false' 
otherwise. No steps in a subprotocol are executed after one of its checks has resulted in 'false'. 

0(ik)' k gets a pseudonym from Z. 

• i k asks Z for a pseudonym. 

• Z checks if a pseudonym can be issued to i k , and if this is the case, chooses u k from and 
sends this as a pseudonym to i k . 

IfarAj): ik gets a validator from Z which will be shown to Aj in a modified form. Put 
P =Pj^ = 9j' b = b j- 

• i k asks Z for a validator for A y and Z decides if this can be issued. 

• i k chooses numbers r h si (/ = 1, ...,«) at random from Z jV - Then he computes 77: =m/r/ and 
a ki'—f ( u kh for / = 1 , . . . , « and sends all a M to Z. (A uniform choice from l' N can be 
obtained by choosing an integer uniformly from {1, . . . , jV}, by doing another choice in the 
unlikely event that this integer has a factor in common with N and so on, until an integer 
coprime with N is chosen). 

The numbers a kt are the candidates for the building blocks of the validator which will be issued 
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by Z later on. These candidates are constructed in a special way but by the uniform choice of 
the numbers r h si they look, just like random elements of Z# . This special way of construction 
should give the organizations sufficient security; while the random choice of the numbers r/,j; is 
meant for giving individuals the desired privacy. 

• Z selects at random a subset % of {1, ...,«} of cardinality Vin and asks i k to show, for each / 
in S , numbers r, and si such that a k i = / (« fc (m/rf ) b )s^ q - Then Z checks if ay and the numbers 
r /( j; sent to it by i k satisfy these relationships for / ES . 

• If these relationships are satisfied, then Z computes the validator 

and sends this to i k . (p 2 denotes a secret exponent corresponding to/) 2 ). .Then i k checks if this 
validator has the proper form by verifying that 

II(gjyAj). i k forms a pseudonym u gj and a validator v g . from u k and v^, and lets bis representa- 
tive gj show these to Aj. Let again p =pj,q = qj,b=bj, and put fj = 1. 

• Let a be a permutation of {1, . . . ,«} with a({ l An + 1, . . . ,«})=§, where S is the set chosen 
by Z in I(i k ,Aj). Let r' t =r m , s',=s <t) for / = 1, . . . , 

Put /- & : = r'! . i fc computes u & : = ur^ , which will be the pseudonym used with ^ and 

w g . = JT u k r' b i. Then i t sends u gj and to gj, gj sends these to Aj and finally, y4y sends these 

numbers to Z. 

• Aj and Z check if Ug^Ug^ and «^ w & =7^^ w g > for each pair a ? - , w g ,. sent to /l^ by some other 
representative g'j. 

Each individual i k forms a validator to be shown to Aj from the validator issued by Z in 
I(i k ,Aj). The last check prevents different individuals from computing their validators for Aj 
from the same validator issued by Z. 

• i';t computes f/ :=/■'//■£"' for /=2, . . . , and 

? a =4/^(5', •••^r'xv, J 

and sends these numbers to gy. Then gj shows these numbers to Aj and >4, sends them to Z. 
A straightforward computation shows that 

% = Kf n/K'M 9 j (''i • ■ -^r 1 =«£ m/cv^ ■ 

• Both Aj and Z check if 
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/=2 '-» 

If these conditions hold then both Aj and Z accept w ? . 

III{gjyAj,c): Aj issues credential c on the pseudonym of representative gj. 

• gj asks yly for credential c on his pseudonym at the request of i k . Then Aj checks if this can be 
issued and, after having positively decided on this, asks Z to compute credential c on the pseu- 
donym u g . of gj. 

• Z checks if u g _ has been shown with a proper validator, and if so, computes d gj : — u g . and sends 
this credential to Aj. Aj issues this credential to gj and gj gives it to i k . 

• i k checks if dg. = u g/ , and computes d k : = d gj r g/ bj/c 

iy(gh^ky c )'- gh shows credential c on his pseudonym with Ah. 

• i k computes d gh =d k r£ /c =u° gh and sends this to g h . g h shows this credential to A h , and Ah 
checks if 4, =u gt . 

3.3. Concise description of the credential mechanism. 

We shall use the notation of §3.2. Further notation introduced here will be used later without 
re-introduction. For reference purposes we describe the credential mechanism by means of a 
"protocol language" introduced below. 

Protocol language. 

a— »y3 : m 

a sends message m to /? 

a-»/}— • ■ • —*k : m 

a sends m to j8, /S sends w to y • - • to k 

a : chooses y from T 

a chooses an element 7 from the set T in some unspecified way 

a : chooses y uniformly from T 

a chooses y uniformly from the set T and independently of all other steps executed at 
the same moment or before 

a : computes m:~ (expression) 

a computes the expression and assigns the value to m 

a— »/?— > ■ • • — *k : checks P 

a computes the value of the predicate P, which is either 'true' or 'false'. Then this value 
is sent from a to ft, from y8 to • • • to k. If this value is 'true' the subprotocol contin- 
ues; otherwise the subprotocol stops immediately after the check. 

Description of the credential mechanism. We shall describe that part of the credential 
mechanism in which individual i k is involved. The representative of i k communicating with Aj is 
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denoted by gj, for / = 1, . . . ,L. First we describe the initialization, before the actual credential 
mechanism starts. 

Initialization 

Z : chooses large primes P,Q 
computes N:=PQ 

chooses even integer n >4 and one-way function / 
chooses «i,...,m, from Z' N 

chooses positive integers cj, . . . ,ck, a, pi, . . . ,p^, q\, . . . ,qi, 

such that all these numbers are pairwise coprime and coprime with <p(N) 
and p\, . . . ,p L , qi, . . . ,q^ are primes larger than Yin 

computes ci, . . . ,c K ,a,p u . . . ,p L ,qi, ■ ■ • ,?z. 
Z makes public: N,n,f, m x , . . . ,m„, c\, . . . ,cg, a, p\, . . . ,pL,q\> ■ ■ • ><?L 

0(/jt). Z gives pseudonym to i k . 

1. j'fc-»Z : asks for pseudonym 

2. Z— >/£ : checks if pseudonym can be given 

3. Z : chooses u k from Z# 

4. Z-^'j; : u k 

HjicrAj). Z gives i k validator for Aj. 
Putp=pj,q=qj,b = bj. 

1. i k -*Z : asks for validator for Aj 

2. Z-*i k : checks if a validator for Aj can be issued 

3. if- : chooses (r/,si : I = 1, . . . ,n) uniformly from (l-li) 2 " 

4. ik : computes r t : =mirf, a k i:=f(u k r l (1 = 1, ... ,n) 

5. i k -*Z : a kt (l = \, . . . ,n) 

6. Z : chooses S uniformly from (SC{1, .,.,«) : #S=!4n} 

7. Z— *i k : S 

8. i t -»Z:rM/(/eS) 

9. Z-*i k : checks a w =/(w fc (m,rf ) 6 >sf ? for / GS 

10. Z : computes v kJ :=ii k (Y[a k if* 

11. Z->/ fc : 

12. i t -»Z : checks v£/ = 4(11^// 

II(gj,Aj). gj shows pseudonym with validator to Aj. 

Let r /( j/ be the numbers chosen in step 3 of I(i k ,Aj), let S the set chosen by Z in step 6, and let 
a be the permutation of (!,...,«) defined by o(l)<a(2)< ■ • • <a(Vin), o( l /in + l)< • ■ • <a(«) 
and a({%n + l, . . . ,n}) = S. Put p=pj,q = qj,b = bj and /i = 1. 

1. i k : computes r gj : =r 0(!) , « ft : = u t r° , w ft : = n^^O 
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2. i k ->gj-*Aj^Z : u gj ,w g/ 

3. z^Aj-*gj-+i k : checks u g ^u g .. and u^Wg.^.w^ for any pair i^., ny ; 

submitted to by another representative g'j. 

4. i k : computes t t :— — (/ = 2, . . . , '/i/i), 

V^"' (n*- W r , »-y < = »£ (ri/M^> 
/=1 '=1 

5. i^gj-^Aj^Z : r, (/ =2, . . . , fcn) , 5 ft 

6. Z-»<;-> & -h* : checks vj' = «| , W , » S =I1»J 

III(gjyAj,c). Aj issues credential c to jy. 

Let r g have the same meaning as in step 1 of II(gj,Aj). 

1. ik-*gj-*Aj : asks for credential c 

2. Aj-*gj-+ik : checks if c can be issued 

3. ^ y -»Z : iij, 

4. Z— »/ly : checks if it has received proper validator for u g/ 

5. Z : computes d gj : = 

6. Z-*Aj-*gj-*i k : d gj 

7. i k ^>gj^Aj-*Z : checks <f^. — « & 

8. i k : computes d k : = r g . b ' / c a r & ( = u%) 

rV(g),rAi„c). gh shows credential c to ^4;,. 

d k will be the number computed in step 8 of III(gj,Aj,c) and u & ,r & will be the numbers com- 
puted in step 1 of 11(g),, A/,). 

1. i k : computes d gi : = d k r£ / c ( = u c gi ) 

2- ik^gh^A h : d gh 

3. A h ^g h -*i k : checks ^ = w & 

3.4. Comments 

This subsection contains some remarks and assumptions on the credential mechanism. 

Outside world. Participants of the credential mechanism may not only communicate with 
each other, mostly over some computer network, but also with the "outside world". For instance, 
events happening in the outside world may influence an organization's decision to issue a creden- 
tial, or an individual's decision to ask for or show a credential. For that reason, the outside 
world should be considered as another participant of the credential mechanism. 

Time order of the steps. The credential mechanism is built up from the subprotocols in the 
set IT consisting of 
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0(J k )J(i k ,Aj),IIigj,Aj),in(gj,Aj,c\IV{gj,Aj,c) 

for all individuals i k , representatives gj and organizations Aj. In each subprotocol 9 of II, cer- 
tain relationships between messages are checked, resulting in the value 'true' if the relationship 
holds and 'false' otherwise. We agreed that no steps in 9 are executed after one of the checks in 
9 resulted in 'false'. We say that a subprotocol in II has been properly executed if it has been 
executed such that none of its checks resulted in 'false'. We require that subprotocols are exe- 
cuted without any interruption. We allow that different subprotocols in II run in parallel or in 
overlapping time intervals, however with the following obvious 

Consistency restriction: 

• steps in I(i k ,Aj) are executed only after 0(i k ) has been properly executed; 

• if gj is the representative of i k communicating with Aj, then steps in II(gj,Aj) are executed 
only after I(i k ,Aj) has been properly executed; 

• steps in HI(gj,Aj,c) are executed only after U(gj,Aj) has been properly executed; 

• steps in IV(g h ,A h ,c) are executed only after III(gj,Aj,c) has been properly executed for 
some j in (1, . . . ,L} and some gj representing the same individual as gj,. 

There might be more restrictions on the time order in which the steps in the credential 
mechanism are executed, for instance: 

• pseudonyms, validators or credentials must be issued before some "deadline"; 

• the time passing between the moment that an individual or its representative gets a pseu- 
donym, validator or credential from an organization, and the moment that another 
representative of this individual shows this to another organization, depends statistically on 
events in the outside world; 

• the decision of an organization about issuing a particular credential on a pseudonym 
depends on whether other credentials have been shown on that pseudonym, on the number 
of times that that credential has been issued before on other pseudonyms, or on messages 
received from the outside world. 

Simple credential mechanism. A possible way to state properties of the credential mechan- 
ism, is to compare it with the following simple credential mechanism. 

When some organization agrees to give a credential c to an individual, that organization 
just gives the individual's representative the number c, without any cryptographic protection. 
Later on, another representative of that individual shows this number c to another organization. 
The validating part of this credential mechanism runs as follows: individual i k asks Z for permis- 
sion to communicate with organization Aj. If Z gives this permission then he sends a special 
validator Vj to i k which is independent of i k . Later, i k initiates the conversation with Aj by let- 
ting his representative show vj to Aj. 

Obviously, this simple credential mechanism does not give the organizations any security; 
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individuals are always able to show a validator or credential to some organization by means of 
their representatives without having got this from another organization. This simple credential 
mechanism would work well if none of the individuals would ever cheat; compared with other 
possible credential mechanisms, it gives individuals maximal possibilities of getting validators or 
credentials and maximal freedom in choosing the moments at which they show these to some 
organization. 

Main condition: except for cheating, our credential mechanism should give individuals as 
many abilities as the simple credential mechanism described above, more precisely: 

the credential mechanism must offer each participant the same freedom in communicating with 
the outside world, and each non-cheating individual the same possibilities of getting validators or 
credentials and the same freedom in deciding when to ask for or show these to some organiza- 
tion, as the simple credential mechanism described above. 

Checks. The checks done in the credential mechanism are divided in two parts: the decision 
checks in which organizations check if they can issue a pseudonym, validator or credential to 
some individual or representative; and the other, so-called security checks by which participants 
may detect attacks. In any execution of the credential mechanism, no step in a subprotocol 9 in 
II is executed after some check in "? has resulted in 'false'; we allow however that the execution 
of a subprotocol is repeated after a security check by an individual has resulted in 'false'. If no 
participant cheats, then all security checks will give the value 'true'; only the checks in steps 3 of 
the sets II{gj,Aj) may give the value 'false' with very small probability. 

We now briefly discuss the checks in steps 3 of the sets II(gj,Aj). These checks differ from 
the other security checks in that they compare messages which were sent by different representa- 
tives to an organization. Without these checks, two individuals, i\ and i 2 , say, can successfully 
conspire in the following way against Aj : i \ follows the validating part and lets his representative 
g\j show ui,W] to Aj in step 2, and v\,t n , ■ ■ ■ , l i,'An m ste P 5 of H(g]j,Aj), where 

Vin _2 Vin _ 

1=2 1=2 

(b —bj, p =pj and q =qj have the same meaning as in §3.3). i 2 chooses u 2 = u\t\ m for some m 
in { 1, . . . , Vin}, where t u : = 1, and computes w 2 : = u 1 w 1 / u 2 , v 2 : = t\£ p v l 
hi'- = f i,7</) / ' im for I = 2, ... , l hn, where t is a permutation of {1. . . . , Vin} with r(m)= 1. 
Then i 2 lets his representative gy show u 2 , h» 2 , v 2 and t 2i (1 = 2, . . . , Vin) to Aj in II(g 2 j,Aj). 
All security checks by Aj in II(g 2 j,Aj) are satisfied, except that u ] w l =u 2 w 1 , hence without the 
check in step 3, Aj would have accepted both u { and u 2 . It is easy to check that credentials 
issued on u x can be easily transformed into credentials on u 2 and vice- versa. 

Suppose that Aj received u i and w\ from representative g ly in step 2 of II(g\j,Aj). Prob- 
lems might arise when there is a dispute in which Aj claims that it received numbers u 2 and w 2 
from another representative gy such that u\ =u 2 or u\\v\ =u 2 w 2 and refuses to accept pseu- 
donym u j , and that g y does not accept this refusal. Below we describe a method to deal with 
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such a dispute with the help of a mutually trusted referee, in such a way that gy does not have 
to reveal which individual it represents. We assume that Vin, where n is the security parameter, is 
coprime with all the primes Pj,qj and credentials c introduced in §3.2. 

For /' = 1,2, let u, and w t be the numbers sent to Aj in step 2, v, ■—v gi the validator com- 
puted in step 4 and t, the tuple (r, 2 , . . . ,ti,vm) sent t0 in step 5, where all steps belong to 
II(gij,Aj). In the case of a dispute as described above, each gy sends «,-, w,, v,- and t ; to the 
referee. First the referee computes the tuples o i ={u i ,u i t b i : 1=2, ... , Vin) for j = 1,2. Note that 
none of these tuples needs contain distinct entries. Then the referee checks, if indeed u\=ui or 
U]W] =«2>V2 and 



Wf = fori =1,2. (7) 

/=2 



If (7) holds and the two tuples and oj can be made equal by reordering, then the referee 
concludes that the individual represented by g y conspired with somebody else and decides that 
Aj does not have to accept u \ as a pseudonym. His motivation for this conclusion is the follow- 
ing: since for any integer d with gcd(d,<j>(A r ))= : 1 the mapping x**x* is bijective, the tuple o\ can 
be considered as a random tuple in (Z' N ) Vl " . The number of tuples o-y in (Z^)^" which contain 
U] and whose other l An — \ entries have product w\ is equal to ^v/ 4 " -2 . If gy, or the indivi- 
dual which it represents, did not reveal the set o\ before showing it to the referee, then somebody 
else could have generated k 2 and tj such that a\ equals 02 after reordering, only by correctly 
guessing a tuple which is apart from its order equal to o\ , while knowing no more than u \ and 
W). But the chance of such a correct guess is at most { l /in)\X§(}ff~ Vin . In practical situations 
when N has about 200 digits, this probability can be neglected. 

If a 1 can not be made equal to a 2 by reordering, then the referee accuses signature author- 
ity Z of cheating. From uiwi=u2 w 2 it follows that by cooperation, gy and gij can compute 
(u\U2^ ) b - (Of course, gy and gy can compute this also if u\ =ui). The referee assumes that 
participants in the credential mechanism other than Z have only a negligibly small chance of 
learning at the same time «i/£Zj/ and ux. = u\r b , tuples Tj=(/,-2, . . . of Z-N valida- 

tors v, satisfying (7) for / = 1,2, such that no reordering of 0[ is equal to 02- Theorem 3 in §7.2 
can be considered as a motivation for this. 



3.5. A mathematical model for the credential mechanism 

In this subsection we shall describe the credential mechanism by means of the terminology intro- 
duced in §2. To this end, we must interpret each step described in §3.3 as a step in an execution 
of a protocol in the sense of §2, and give the notions introduced in §3.4 a precise meaning. 

After having introduced some necessary notation, we consider the checks, introduce the 
"shadow", which is an extraction of the credential mechanism that contains in essence the same 
information as the simple credential mechanism of §3.4, consider the steps executed by the parti- 
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cipants of the credential mechanism in more detail, give a proper formulation of the "main condi- 
tion" by using the shadow, and finally consider the time order in which the steps are executed. 

In our model for the credential mechanism we assume that all communication channels are 
secure against passive and active eavesdropping, and that messages are received at the same 
moment that they are sent and at the right place. The only essential assumptions in our analysis 
of the credential mechanism are that the communication channels between individuals and their 
representatives, and between the organizations and Z are secure. The analysis of the credential 
mechanism in this paper still holds true if the other assumptions are removed, however this 
would require uninteresting technical complications in our arguments. 

Notation. We shall use the same notation as in §2 and §3.1-3.4. In particular, 
r = {0,l,2, • • ■ } denotes the time, and N the composite modulus of the underlying RSA-system. 
We suppose that the set consisting of N, n, f, m \ , . . . , m„, c \ , . . . , c K , a, p \ , . . . ,pi, 
q i , . . . , qi is fixed and known to each participant before the credential mechanism starts. Again 
we assume that <j>(N), c j , . . . , cjc, a,p\, - • • , ?z. are pairwise coprime and that p\, . . . ,qt are 
primes larger than Vin. Let II be the set of subprotocols introduced in §3.4 and N = { 1,2, - • • }. 
Put(cf. §2.1) 

Y = F + (Z' N )\JF({\, • - ■ ,n}){J{tme, false) . 

The set of participants P of the credential mechanism consists of the outside world E, the 
signature authority Z, the organizations Aj (J = 1, . . . ,L) , the individuals (k = 1, . . - ,R), a 
set of LR representatives, and the allocation center C which is responsible for allocating the 
representatives to the individuals. We shall discuss later in more detail how this allocation takes 
place. The message space M is equal to M' y M" where M' = IT X H X Y and M" is an 
unspecified set, containing the messages which E and C may send or receive. 

Let ?6n. For convenience we denote the set {^}XNXYXP E XP E XTby 9. Thus II 
defines a partition of M'XP E XP E X T in subprotocols. A step of the form ((9 ,r,y),a,f$) 
corresponds to the step of 9 in the description of §3.3 which has number r at the left margin, 
and in which y is sent from a to /8 (or generated by a if a =P). Messages in which an individual 
or representative asks for a pseudonym, validator or credential, will be indicated by triples 
(9,r, 0), for appropriate °? and r. Any step of the form ((">?, r v v ).£»,/?) is indicated as "step r of 
9". 

Checks. Apart from the security and decision checks described in §3.4, the participants 
must do some other checks. We assume that at each moment that an individual, Z or an organi- 
zation receives messages from another participant, it checks if these messages are allowed for the 
credential mechanism (cf. §2.3, (5)). (For instance, Z checks that the tuple which it receives in 
step 4 of (I(ik,Aj) has exactly 2n entries, and each individual or organization checks if the time 
order in which he receives certain messages from some participant is not in conflict with the con- 
sistency restriction). These obvious additional checks are also called security checks. Messages 
which are allowed for the credential mechanism will satisfy all security checks with only the fol- 
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lowing exception: that two individuals, with representatives gy and gjj for Aj, respectively, do 
not cheat and by accident generate their numbers such that the checks in step 3 of H(gy,Aj) and 
H(g2j,Aj), result in 'false'. 

As before, we assume that a step in is executed only if no previously executed step in <? 
contained a check which resulted in 'false' but allow that the execution of <3> is repeated after a 
security check of the individual involved in *P resulted in 'false'. 

Shadow. The mapping a on the message space M is defined as follows: 
f if m EW" 

o(m)=m | or m _ (9 ry ^ GM , with ^ e (true, false} , 

o(m)=(9,r) if m = (<? ,r,y)E.M' with/ g {true, false} . 
a is extended to X=MXPXPX7"by putting 

a(m,a,B,t) = (o(m),a,B,t) . 

For a CI we put a(a) = {a(s):s £a}. We denote o(X) by Z, and for each subset i) of E we write 
iiA,B, U) - t) p| (o(M XA XB X U) for ^4,B CjP and UCT. If S is the execution of (an attack 
on) the credential mechanism then we put 2=a(S) and for any subsets A and B of P and U of T 
we abbreviate a(S(yl,jB, £/)) by 2(^4,5, U). 2 is called the shadow of the (attack on) the credential 
mechanism. 

The shadow is essentially equal to the simple credential mechanism of §3.4, except that it 
contains values of security checks. But if no participant cheats then these security checks will all 
result in 'true' with very high probability. 

Individuals, organizations and Z. If a value of 2 is given, (i.e. the moments at which the 
participants execute their messages), then the steps executed by individuals and organizations are 
completely determined, except for the choices of the pseudonyms in step 1 of Ofe) (which are 
not specified), and the uniform choices of the tuples (r h si :/ = 1, ...,«) in step 3 of I(ik,Aj) and 
the sets S generated in step 6 of I(i k ,A y ) for l^k^R and l*S/'sSL. When saying that at 
moment t, a makes a uniform choice from a finite set T, we implicidy assume that this choice is 
independent of the other steps executed at or before moment r in which a generated, sent or 
received a message. We now explain this with the terminology of §2. 

Let T be a finite subset of Y. By "a chooses y uniformly from T at moment t in step r of 
9 " the following is meant: 

let T('3',r,a,t) denote the choice of a at moment t in step r of 5\ and let W(9,r,a,t) denote the 
collection of other steps in which a generated, sent or received a message at or before moment t, 
i.e. 

W($,r,a,t) = S{ a ,P,<,t)\jS{P a ,a,^t)\{{(^,r)}xT(9,r, a j)X{{ a> a,t)}). 
Then for each y in T, and each value w of W(9, r,a,t) we have 
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Pr[TC3>,r >a ,t)=y\{<9,r,a,a,t)<E2.(a, a ,t) , W(9,r,a,t) = w] = — . (8) 

The following two cases are of interest to us: 

• r = (Z^) 2n , #T= W?*,a = i k , 9=I(i k ,Aj),r = 3; 

• r = {SC{l, . . .,*}:*§ =Vin), #r = (£,),a=Z,9=I(i k ,Aj),r=6. 

For the sake of completeness we mention that (8) also holds in case of an attack on the 
credential mechanism, in which a does not cheat but may receive messages from cheating partici- 
pants. 

Representatives, allocation center and outside world. We assume that none of the represen- 
tatives, the allocation center C or the outside world E will ever cheat In no execution of (an 
attack on) the credential mechanism E sends messages to or receives messages from C or the 
representatives. 

During executions of (attacks on) the credential mechanism, E and C send only messages 
from M" and "neglect" messages outside M", which they may have received during an execution 
of some attack on the credential mechanism, i.e. the messages they generate or send, are statisti- 
cally independent of received messages which do not belong to M". Moreover, the allocation 
center sends messages only to individuals and representatives and neglects messages received 
from other participants than those. 

The representatives belong to a fixed set of cardinality LR. We explain how the allocation 
of representatives to individuals takes place. At moment 1, C allocates a representative to each 
pair (i/cAj), in such a way that different representatives are allocated to different pairs. It is 
assumed that each allocation has the same probability (LR)\~ } . At moment 2, C informs each 
individual, which representatives are allocated to him for communication with the organizations 
A i, . . . ,Al, respectively, and informs each representative to which individual it has been allo- 
cated and for communication with which organization. 

Let gj be the representative of individual i k communicating with Aj. After gj has been 
informed that it has been allocated to i k for communication with Aj, its activities during any exe- 
cution of (an attack on) the credential mechanism consist only of the following: if gj receives 
message m at moment / from a participant =£i k then it sends m to i k at moment t + 1 ; whereas if 
gj receives m from i k at moment t then it sends m to Aj at moment r + 1. 

Representatives and allocation center are merely artificial constructions, meant to make the 
description of the mathematical model somewhat easier, and explain how the credential mechan- 
ism looks like from the point of view of the organizations. In general, they will not be used in 
practical implementations of the credential mechanism. 

Main condition. 2(a,iV) describes the communication of participant a with the outside 
world or the allocation center, at moment t, the probability with which a may show pseudonyms, 
validators or credentials at moment t if a is an individual, or the probability with which a may 
issue a validator or credential at moment t if a is an organization. The conditional probability of 
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2(a,P,0 given S(a,P,<t) and S(P a ,a,<t) describes the freedom of participants to communicate 
with the outside world, the freedom of individuals to decide whether to ask for or show a pseu- 
donym, validator or credential, and the freedom for Z or the organizations to issue such a pseu- 
donym, validator or credential, at moment t. This freedom should be as large as in the simple 
credential mechanism and hence any restrictions on this freedom should be expressible in the 
shadow. Thus the main condition can be stated as follows: 

for each a in P, t in T and execution s of the credential mechanism we have 

Pr [o(a, P,t)\s(a,P,<t),s(P a ,a,<t),sec(a,t)} 

= Pr[a(a,P,t) \ a(a,P, <t)MPa,a,<t),sec(a,t)) , (9) 

where o=o(s), sec(E,t)~ 0 and sec(a,t) is the set of values of security checks by a at moment t 
on messages received from participants other than E if a^E. If we assume that all security 
checks result in 'true' (which is extremely likely during executions of the credential mechanism if 
no participant cheats), then (9) implies that 2 is an execution process of a protocol in the sense 
of §2. 

We remark that (9) holds true also for an attack on the credential mechanism in which a 
does not cheat. 

Time order of steps. The shadow of the credential mechanism describes the order of the 
moments at which the steps in the credential mechanism can be executed. We require that steps 
from the same subprotocol are executed in the same order as described in §3.3, and at consecu- 
tive moments. The time order at which steps from different subprotocols § are executed is sub- 
ject to the consistency restriction given in §3.4. Other restrictions on the time order of the steps 
(e.g. those given in §3.4), must imply the main condition (9). 



4. UNLINKABILITY 

An equivalent statement of property 4 mentioned in §1.1 says that the credential mechanism does 
not reveal any information about which representatives represent which individuals. This pro- 
perty can not be proved in this strict sense. Suppose for instance, that first signature authority Z 
gives a validator to individual i k and that later, a representative gj shows a validator to Aj, at a 
moment at which no other validators have been issued or shown. Then Z and Aj will find out by 
cooperation, that gj represents Another situation where information is revealed about the 
linking between representatives and individuals is the following: suppose that credential c is 
issued only once, on a pseudonym of representative gj, say, and shown once on a pseudonym of 
representative gy, . Then by cooperation, the issuing and receiving organization will find out that 
gj and gh represent the same individual. We notice that information of the type mentioned above 
will also be revealed if instead of the credential mechanism of §3.5, the simple credential mechan- 
ism described in §3.4 would have been used. Using the model of §3.5 for the credential mechan- 
ism, we shall prove that the credential mechanism is optimal in the following sense: all informa- 
tion revealed by the credential mechanism about the relationship between individuals and 
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representatives is already revealed by the shadow of the credential mechanism. As mentioned in 
§3.5, this shadow is essentially equal to the simple credential mechanism considered in §3.4. 

4.1 . Statement of the result 

We shall use the same notation and make the same assumptions as in §§2,3. Thus P is a set con- 
sisting of signature authority Z, the organizations A j, . . . ,Ai, the individuals i\, . . . ,//?, LR 
representatives, the allocation center C and the outside world E. Let / be a subset of P, consist- 
ing of Z,A i , . . . ,Al and some of the individuals and let Jq = {' i > • • • . 'R } \J be a set of non- 
cheating individuals. We consider attacks by subsets of J on the credential mechanism. An 
attack on the credential mechanism is called safe for J if it has the following properties (cf . 
§§2.3,3.5): 

• if the messages received by an organization (or Z) before moment t from a representative (or 
individual) were allowed for the credential mechanism, then at moment t that organization (Z) 
sends back messages to that representative (individual) which are also allowed for the credential 
mechanism; 

• no individual sends messages to other individuals or to other individuals' representatives; how- 
ever, individuals may communicate over the outside world. 

Loosely speaking, in safe attacks, cheating individuals, organizations and Z try to hide their 
cheating from individuals of which they believe that they do not cheat or from representatives of 
which they believe that they represent a non-cheating individual. An organization can only be 
sure that some representative represents a cheating individual if he receives messages from that 
representative which are not allowed for the credential mechanism. The only property of safe 
attacks which we shall use is, that the messages received by the non-cheating individuals in Jq 
from participants other than E will satisfy all security checks by these individuals. This is true 
since in particular the messages received by these individuals' representatives from the organiza- 
tions are allowed for the credential mechanism. We assume that Z has infinite computational 
resources, i.e. we make no further restrictions on the choices of Z. 

Before stating Theorem 1, we recall that the allocation center is denoted by C. Thus 
2(C,/o.2) denotes the allocation of representatives at moment 2 to the individuals in J 0 (cf. 
§3.5). We shall abbreviate this by 2(C,/ 0 )- Values a(C,J Q ,2) of 1(CJ 0 ,2) will correspondingly 
be abbreviated by a(C,/o). We define 0, as the union of Jo and the set of representatives of Jq 
which have communicated with some organization, up to moment t. Then for each t > 1 there is 
a function d, such that &, = 8,(S(P,J, </)), since 0, contains exactly those representatives not 
allocated in 2(C,/, 2). 5 will denote the execution process of (an attack on) the credential 
mechanism, 2=o(S) (cf. shadow in §3.4) and °2(A,B,U)=o(S(A.B, U)) for A,B CP and UCT. 

THEOREM 1. Let J be a set consisting of Z,A [ , . . . ,Al and some of the individuals, and 

J Q ~ {' 1 1 • ■ • > 'R } \J- Then for each attack on the credential mechanism which is safe for J and in 

which the individuals in 7 0 d° not cheat, each execution s of this attack, and each t> \ we have 
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Pr[a(C,J 0 ) I s (J,P, *Zt),s(P,J„^t)] 

= Pr[o(C,J 0 ) | e t = e„o(J, 6, [J E, <t),o(8 t \J E,J, ^t)] , 

where o=o(s) and 8 t -6 t {s{P,J, <:)). 

As mentioned above, from s(J,P, and s(P,J, *£r) it is possible to find out which representa- 
tives are allocated to individuals in J Q . Theorem 1 tells us that all additional information 
revealed to J about which representative represents precisely which individual in Jq is already 
revealed by the shadow of the credential mechanism. 

Remark 1. In the case, that organizations do not know which individuals are cheating, they can 
try to find this out by statistically analyzing their set of received messages. We can not state an 
analogue of Theorem 1 when the set of individuals in / is not fixed, since the collection of attacks 
on the credential mechanism is not endowed with a probability measure. 

Remark 2. Suppose that in Theorem 1, J=[Z,A i, . . . ,Ai} and / 0 consists of all individuals, 
and that up to moment r the following happened: for y : = 1, . . . ,L, all individuals got their vali- 
dators for Aj at the same moment, and all representatives showed their validator to Aj at the 
same moment; and moreover, no credential was issued or shown. Then 0, =0, where 8, consists 
of all individuals and representatives, and the sets 2(/,0,,<f) and 2(# r ,J, =£/) are independent of 
2(C,/o)- Hence in this situation, all information revealed to / about 2(C,Jo) ls coming from the 
sets *Sr) and "2.{E,J, <,t), i.e. from Ts communication with the outside world. 

Remark 3. In the statement of Theorem 1, it is essential to assume that the credentials 
c i , . . . , cic and the exponent a and the primes p \ , . . . , qi used in the validating part are all 
coprime with <KJV). The individuals have the certainty that this requirement is satisfied if for 
instance all these numbers are primes larger than ViN. Below we describe a protocol, based on 
an injective one-way function h, in which any individual can convince himself with probability at 
least 2/3 that some odd exponent d made public by Z is coprime with 4>(N). That individual 
can reduce 27s chance of successful cheating by repeating this protocol as many times as he 
wants. Let i k be an individual. In step 1, 14 chooses a number x uniformly from and sends 
y:=x d to Z. In step 2, Z computes x' with x' d =y and sends A 0 : = /r (jc ') to ik- In step 3, ijt 
checks if h(x)=hQ. 

If d is coprime with <P(N), then the value x' computed by Z is always equal to x, and hence 
Hq is equal to h(x). Suppose that d is not coprime with <j>(N), and let d P , dq denote the numbers 
of solutions of x d =\ mod P, x d =l mod Q, respectively, where P and Q are the prime factors of 
N. Then there are exactly d P dq different x' with x' d =y mod N. Z knows that must have 
chosen x in step 1 as one of the d-lh roots of y but he has no information about which root was 
precisely chosen by ■ Hence in step 3 Z can do no better than guessing which root was chosen 
by ik and the chance that he guesses wrong is 1 — (d P dQ)~~ 1 which is at least 2/3. By the injec- 
tivity of h, the chance that will receive a value h 0 different from h(x) in step 3 is at least 2/3. 
ik might try to cheat by sending Z a value y in step 1 of which he does not know the d-th root. 
However, if the one-way function h used in step 3 is "good enough", then ik will not be able to 
compute the d-th root of y from h p . 
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4.2. Lemmas 

The idea behind the proof of Theorem 1 is to construct, from the messages sent or received by Z 
and the organizations and from a given allocation of representatives to individuals, a set of tuples 
(r/,s/: 1 = 1, . . . ,n), chosen by the individuals in step 3 of each subprotocol I{ii c ,Aj), and argue 
that the sets of tuples constructed from different allocations have equal probability. In this sec- 
tion we state and prove two lemmas needed in the proof. 

Let / consist of Z,A \ , . . . and some of the individuals, and let Jq = {i '\ , . . . , ir }\J- 
We fix an attack on the credential mechanism which is safe for J and in which the individuals in 
J Q do not cheat, and denote the execution process of this attack by S. Further we put 2=a(5). 
Up to now, by an execution we just meant an arbitrary value of the execution process of the 
attack we are considering, which can be any subset of X =M XP XP X T. In the sequel we shall 
restrict ourselves to proper executions, i.e. executions s with the following properties: 

• the set of elements of s belonging to the subprotocols in which individuals in Jq or their 
representatives are involved satisfies the description of these subprotocols in §3.3; in partic- 
ular, in each step 3 of I{ik,Aj) with i k EJq a tuple (77, j/: / = 1, . . . ,n)E(Z' N ) ln is chosen, 
and in each of the subprotocols involving individuals in Jq or their representatives, the 
messages are computed as prescribed in §3.3, and the steps are executed in the order 
corresponding with the description of §3.3 and at consecutive moments; 

• 5 satisfies the conditions imposed on the messages generated, sent or received by E, C and 
the representatives as described in §3.5; 

• the time order in which the steps in s, involving an individual in Jq or one of his represen- 
tatives, are executed, is subject to the consistency restriction of §3.4. 

In attacks which are safe for J and in which the individuals in Jq do not cheat, executions which 
are not proper have always probability 0. There may be proper executions with probability 0. 

In Lemma 1 below we compute the probability of a proper execution. We put 
J'a = Jq U (•£}• For any proper execution s with a = o(s), and any subset U of T, we denote by 
k(o(Jq,P,U)) the number of all steps 3 of Iii^Af) executed during U, for E/o and l^j^L. 
It is clear that this number depends indeed only on a(J Q ,P,U). 

Lemma 1. For every t >0 there are functions A, and B, such that for each proper execution s, 
Pr[S(P,P,*Zt)] = ^yj-^^o.f.*:')) 

x A,(o(J'o,P, ^t)MCj 0 )AMJ,6 t U£<0) 

X B,(s(J,P, ^t),s(P,J, </)) , 
where a = a(s) and 0, =9,(s(P,J, « the value for 0,. 

Proof. In the proof of this lemma only, undefined conditional probabilities will be given the 
value 1. We shall prove Lemma 1 by induction on f. We start with t =0. 
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The statement of Lemma 1 trivially holds true for / =0 by taking n(a(J 0 ,P, 0)=0 and let- 
ting Aq and B 0 be functions identically equal to 1. Suppose that Lemma 1 has been proved for 
moment t — 1 where t >0. (induction hypothesis). We proceed to prove Lemma 1 for moment t. 

Let i be a proper execution. For convenience we put 

Pr(t)=Pr[s(P,P,<t)] , Pr(t-l)=Pr[s(P,P, <t)] . 
Let R denote the set of representatives. By (1) (cf. §2.1) we have 

Pr(t) =Prls(J'o,P,^i),s(C,P,<t),s(R,P,<t), S (J,P,^t)] 
=P i P 2 P 3 P 4 Pr(t-\), 

where 

P x =Pr[s{J' Q ,P,t)\s(J' a ,P, <i],s(C,P, <t),s(R,P, ^t),s(J,P, <0) , 
P 2 =Pr[s(C,P,t)\s(J' 0 ,P, <t),s(C,P,<t),s(R,P,<t),s(J,P,<t)] , 
P 3 =Pr[s(R,P,t)\s(J' 0 ,P, <t),s(C,P,<t),s(R,P,<t),s(J,P,<t)] , 
P 4 =Pr[s(J,P,t)\s(J' 0 ,P, <t),s(C,P, <t),s(R,P, <t),s(J,P, <*)] • 

Note that (10) also holds true if some of the conditional probabilities on the right-hand side are 
not defined. Moreover, if one of the conditional probabilities in (10) is not defined then one of 
the other factors in the right-hand side of (10) is 0. Therefore, (10) remains true if we replace an 
undefined conditional probability by any value we like. To the defined conditional probabilities 
we may apply (4) (cf. §2.2) with the partition J' 0 ,{C},R and J of P. Thus we obtain 

Pr(t)=P\P' 2 P' 3 P' 4 Pr(t-X) , (H) 
where 



P'i=Pr[s(J' 0 ,P,t)\s(J' 0 ,P, <t),s(P,J' 0 ,<t)] , 
P' 2 =Pr[s(C,P,t)\s(C,P, <t),s(P,C, </)] , 
P' 3 =Pr[s(R,P,t)[s(R,P, <t),s(P,R, </)] , 
P' 4 =Pr[s(J,P,t)\s(J,P, <t),s(PJ, </)] ■ 

Because of the relationships between messages sent and received by the representatives, which 
hold also for our proper execution s, we have P'3 = 1. Moreover, if t — 1 we have P\ —(LR)\~~ , 
since each allocation is equally likely, if t =2 then P' 2 = 1 since the messages sent by the alloca- 
tion center to the individuals and representatives are determined by the allocation at moment 1, 
and if t >2 then also P' 2 = 1, since s (C,P,t)= 0 with probability 1. (Here we used that j 
satisfies the conditions on the messages generated and sent by Q. By combining these facts we 
obtain that there is a function C, such that 



P' 2 P' 3 P' 4 = C,(s(J,P,^t),s(P,J,<t)) . (12) 
We now consider P'\ . Suppose for the moment that P\ is defined. All elements of 
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s(J' 0 ,P,t) are of the form x -(m,a,B,t), where aEJ' 0 . If m £M" or m =(9,r,y)e.M' and 
je{true, false}, then x e.a{J' Q ,P,t). Otherwise we have m =( < ?,r,y), where (9, /•><*,£) belongs to 
a(J'o,P,t) and y is either a tuple (r\,si\ / = 1, . . . ,/r) chosen in step 3 of some I{i^,Aj), or can be 
derived from a tuple previously chosen in step 3 of some Iii^Aj) and from messages previously 
received by Jq, by using the computations in the credential mechanism described in §3.3. It fol- 
lows that S(J' 0 ,P,t) is completely determined by 2(/' 0 ,P,0, B(t), S(J'o,P, <t) and 
S(P,J'o, <t), where B(t) is the set of tuples chosen at moment t in step 3 of some I(jk,Aj\ for 
j'j. E.Jq. Let b(t) be the value of B(t) corresponding to s(J'o,P,t). Then 

P\=Pr[b(t)MJ'o,P,t)\sV'o.P,<0,s(P,J'o,<0] =P'nP'a , ( 13 ) 
where 

P'u =Pr[b(t)\<j(J' 0 ,P,t),s(J'o,P,<t),s(P,J' 0 ,<t)] , 
P' X2 ^Pr[a(J'^P,t)\n(J' Q ,P,<t),s(P,J' 0 ,<t)]. 

b(t) contains exactly ic(o(J'Q,P,ty) tuples (r/,si: / = 1, . . . ,n). By assumption, the distributions of 
these tuples are uniform on (Z^) 2 " and independent of each other and of S(J'q,P, <t) and 
S(P,/'o, <t). By repeatedly applying (8) to these tuples and using (1) we obtain 

provided that P' n is defined. If P' u is not defined then P' i2 =0- hence (13) still holds true if we 
replace P'n by the right-hand side of (14). Since we are considering a safe attack, the security 
checks by individuals in Jq on messages received from participants other than E will be satisfied 
with probability 1 . Therefore we may apply main condition (9) for each a in J'o without the sto- 
chastic variable sec(a,t) on both sides of the equality. By combining (9) for each a in J'o with 
(1), we obtain 

P\ 2 =Pr[a(J' 0 ,P,t)\o(J' a ,P, <0.<Wo,<01 - (15) 

We note that E receives messages only from J 0 ,E and J, that o(/'o,£, </) is contained in 
a(J' 0 ,P, <t), while o(J,E, <t) is contained in a(J, 0, (J E,<t). Jq receives messages only from 
C,E,Z and the representatives in 6,. o(E,Ja,<t) and a(Z,/ 0 ><0 are contained in 6(J'q,P, <t) 
and a(J, 0, {J E,<t), respectively. Moreover, from the relationship between messages sent, and 
messages received by representatives (which holds for proper executions), it follows that 
a(6„J 0 <t) is uniquely determined by a(C,J 0 ) and o(J, 8„ <t). By combining these facts we con- 
clude that a(P,/' 0 ,<£) can be expressed as a function in o(J' 0 ,P, <t), a{C,J 0 ), 6, and 
"(•A U E> <t )- A combination of this with (13), (14) and (15) yields that there is a function D, 
with 

P', =^N)- 2nKi ° UM D 1 (o(J'o,P, ^t),o(CJo),6 t MJA{jE,<t)) . 
By combining this with (12) and (1 1) we obtain 
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Pr(t) = -KN) 2r " <aiJo,P - !)) D l (a{J'o,P, <t)C,(s(J,P, ^t),s(P,J, </))X J>r(r - 1) . 

Note that this is true also if P\ is not defined. Together with the induction hypothesis this 
proves Lemma 1 for moment t. □ 

Let F\, . . . , F r be functions of 5. We say that the values s\, . . . ,s r of F\(S), . . . ,F r (S), 
respectively, come from the same proper execution if there is a proper execution s such that 
s\ =f . . . ,s r —F r (s). Lemma 2 gives the number of possibilities for the messages generated, 
sent or received by the individuals in Jq, given only the moments at which the individuals in Jq 
generate, send or receive their messages, the allocation of representatives to Jo. the steps 
involving the members of /. 

Lemma 2. There is a function X with the following property: for each t >0, and all values oq of 
2(J' 0 ,P,<t), "co o/2(C,/ 0 X fr of@„ s JP ofS<S,P,<t\ s PJ ofS(P,J,<t), oj. of 
2(J,&,\jE,<t), anda.j o/2(8 r \jE,J,<t\ such that 

Pr[s JP ,Spj,6 t ,oj.,o.j]>Q 

and 

a O'°C0>f<>°y*. a V come from the same proper execution, 
there are exactly ^f"^)-^"- 9 -"^ va j ues jQ o fS(J' 0 ,P, </) such that s 0 ,oq, <>co, $u sjp, Spj, 
aj* and a*j come from the same proper execution. 

Proof. In this proof we shall often refer to the description of the credential mechanism in §3.3, 
and the reader is advised to consult this. The values s 0 of S(J'q,P, </) we are looking for, con- 
sist of tuples x=(m, a, P,u) with m <EM, aGJ' Q , j8GP and u<f. If m &M" or m -(9,r,y)eM' 
with y E {true, false} then x Goq. For the remaining tuples x we have op£E, p=^E and 
m =(?,r,j)£M', where each o(x) = ($ ,r,a,fi,u) is contained in <r 0 and the set of values y must 
satisfy the constraints imposed by the description of the credential mechanism in §3.3, the given 
allocation of representatives, and the steps in which the members in / generated, sent or received 
their messages before moment /. Our purpose is to count the number of possibilities for the set 
of values/. From the description of the credential mechanism in §3.3 it follows that each y is 
either equal to one of the tuples (r/,s/: l~\, . . . ,n) generated in the steps 3 of I(jk,Aj) up to 
moment t, or can be derived from these tuples and the messages received by Jq up to moment f 
from Z or their representatives, by using the computations prescribed in the credential mechan- 
ism. But in proper executions, the messages received by Jq can be determined from the alloca- 
tion a C o and Sjp. Hence the number of possibilities for the set of values/ is equal to the number 
of possibilities for the set of tuples (r/.j/: / = 1, . . . ,n) generated in each step 3 of I{ik,Aj) up to 
moment / for i k E/o and Ky'<L. We shall prove that this number is equal to 

^In^-XM,,.,) whe] . e 



\(n,6„a*j) = n\ l +yin\ 2 +2\ 3 +(>/in-2)X 4 , (16) 
and X, is the number of steps 5 of I(i k ,Aj), \ 2 the number of steps 8 of I(i k ,Aj), A 3 the number 
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of steps 2 of II(gj,Aj), and A4 the number of steps 5 of II(gj,Aj), for all i k G/o. gj and 
organizations Aj, which are executed up to moment /. Note that all these steps are contained in 
a. j. 

Let f",t G/o and gj the representative allocated to i k for communication with Aj. Suppose 
that at or before moment /, step 3 of I(i k ,Aj) has been executed (this can be derived from oq), 
and let p=(r/,i/: / = 1, ...,«) be the tuple chosen in this step. We have to count the number of 
values for p such that p, oq, <jco> ■ ■ ■ ,o-j come from the same proper execution. Each step v, 
executed up to moment t, in which Z or an organization receives a message from an individual in 
Jo or one of its representatives (which is contained in spj), imposes certain constraints on p, 
which will reduce the number of possibilities for p. Without any of these constraints, there are 
(KN) 2 " possibilities for p. 

If v is step 5 of Hi/c.Aj), then Z receives numbers (/ = 1, . . . which should be equal 
to / («t(m;r?)* J )s/ J?J . These relationships reduce the number of possibilities for p by a factor 
<t>(N). Indeed, since pjqj is coprime with <p(N), each r; determines a unique j/ such that these 
relationships are satisfied. 

If v is step 8 of I(i)c,Aj) then Z receives r h S[ with / GS , where S is the set sent by Z to i k 
in step 7. As remarked before, each s/ is determined by a k i and r/ and does not impose addi- 
tional conditions on p. Obviously, the released values r; reduce the number of possibilities for p 
by a factor ^Nf 1 ". 

If v is step 2 of II(gj,Aj), then Aj receives u g , which must be equal to Ukfyyy and w gj , 

H " - b ' 

which must be equal to u^" '(Il/ow) J ' wnere 0 ls ^ permutation defined in the description 

1=2 

of II(gj,Aj) in §3.3, and —m^r^ for / = 1, . . . , Vin. Since both a and bj are coprime with 
•K-^X r a(\) and TL r <*0 aie uniquely determined by u gj and w & . This reduces the number of pos- 
sibilities for p by a factor . 

Finally, if v is step 5 of II(gj,Aj) then A j receives v & , and also numbers (/ = 2, . . . , Vin) 
which should be equal to /r^, respectively. From this it is possible to determine uniquely 
a set of values r,, not shown to Z in step 8 of I(i k ,Aj). Since each of these r; determines a 
unique si, this leaves us only one possibility for p. In other words, the number of possibilities for 
p is reduced by a factor <p(N) v "'~ 2 . 

Other steps v in which Z or the organizations received messages up to moment t do not 
further reduce the number of possibilities for p. Thus for each tuple p generated in step 3 of 
some I{i k ,A } ) we have a specified number of possibilities. We obtain (16) by taking the product 
of all these numbers of possibilities, over all steps 3 of all I(i k ,Aj) with i k ElJq, executed at or 
before moment /. □ 
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4.3. Proof of Theorem 1 

We shall prove that for each t > 1 there are functions E, and F t such that for all values o co of 
Z(C,J 0 ), 0, of 9„ s JP of S(J,P, <t\ s PJ of S(P,J, =£/), a 7 . of 2(/,9 ( U and o v of 

2(0, (J £,/,<?), with Pr[0„j // >„y / y,a / .,a../] =/ > r[5 //> ,i W ]>0 we have 

Pr[o C v,Sjp, Sp j] = <KA r )~ A( " ,8 " < ' v:i i5: ( (<Tco,^^/-,<'v)i ; 'r(^^py) - (17) 
This suffices. For by su mmin g over all <r co we obtain that there is a function G, with 

JVfcn.,J«] = <KN)- MnJ - a - j) G 1 (e i ,aj,,o.j)F,(s JP ,spj). 
Hence G ( (0„o / .,or v >? fe O and F,(sjp,s P j)=£0. This gives 

Pn°Co\sjp,Spj] = — — a — = Pr[o C Q \oj.,o.j,8 t ] . 

We now prove (17). We fix <JcoA>Sjp, s PJ ,<jj.,<s.j with Pr[B„sj P ,s PJ ,aj;a.j}^0 and 
assume that Pr[<3 C Q,6„aj',a-j]^M} which is no restriction. We have 



Pr[<J CQ ,sj P ,s P j] = 2 



^Pr[s 0 ,sjp,s P j,o C0 ] 



(18) 



where the outer sum is taken over all values a 0 of 2(J' 0 ,P, <r) such that c 0 ,o C qA,oj*,o*j come 
from the same proper execution, and the inner sum over all values s 0 of S(J' 0 ,P, <l) such that 
•so> »o> a co> 0,, sjp, spj, aj', and a»/ come from the same proper execution. From so, ctco> *jp> 
and s P j it is possible to derive all steps executed by C and the representatives. Hence if s 0 , a 0 , 
<*co> 0f> $//>» <v». fnd come from the same proper execution s, then Pr[io,i/p,5py,aco] = 
Pr[s(P,P, *£/)]. By Lemma 1 this implies that 

Pr[s 0 ,Sjp,spj,a C o} = <P(Ny 2nK< '"> ) A l (o Q ,ocoA,°J*)B l (sjp,spj). 
Together with Lemma 2 this gives 

2Prlso,Sjf,s PJ ,aco] = <&N)- Hn ' e '-°- j) A t (c< i ,oa > ,6 ! ,oj*)B,{sj P ,s P j) . 

By taking the sum over all <j 0 for which a 0 , a c0 , 9 t , a y . and a.j come from the same proper exe- 
cution, we obtain 



2Pr[so,sjp,spj,oco] 



<P(N) XM '°-' ) E 1 (<, C oA,oj.,o.j)B,(s JP , S pj) 



for some function E,, Together with (18) this implies (17). This completes the proof of Theorem 
1. □ 
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5. THE FORMAL CREDENTIAL MECHANISM 

In this section we describe a formal credential mechanism which is similar to that of §3 except 
that it is based on an "ideal RSA-cryptosystem" of which the underlying message space is a free 
multiplicative module over the rational numbers with denominator coprime with <i>(N) and the 
one-way function maps this message space on multiplicatively independent elements of this space. 
In §§6,7 we shall analyze this formal credential mechanism for protection of organizations against 
cheating individuals. 

5.1. Description of the underlying message space 

In order to give a proper description of the underlying cryptosystem we have to introduce some 
notions about free multiplicative modules. 

For any set "V and any integral domain %, we denote by the set of all finite formal 
products 

Ft • • • vf 

where £i, e& and V\, . . . , V, are different elements of T. The empty product is denoted 

by 1. We shall identify two formal products • • - vf and W\ l ■ ■ ■ W]' if and only if there is 
an r with r<f and r<s such that after reordering the terms of both products, £, =0 for 
r <i<t,i)j =0 for r <z'<j and Vj - W l and |, =tj; for \<i<r. Sir/V] is a free ft-module, of which 
the addition is the multiplication of formal products, defined by adding the exponents, and scalar 
multiplication is raising a formal product to a power in <3l, i.e. multiplying the exponents of that 
product with that power. 

We shall recursively construct a free "31, -module which contains IT and which is closed under 
application of some "formal one-way function". Put 

<& 1 =<3L['V] , Wi={F x : XE^Li}; 

<3L i =<3l['3L i - } U^.-i] . 5i = {Fx ■ Xe%\%- 1 } fori =2,3,4, • • • 

00 

and assume that F X =£F Y if X=£Y and <?,- (~) "ft, = 0 for /' = 1,2,3, • • • . Put \J f ,■ and define 

i = 1 

the function F AlTu^J by F(X) = F X . The module ?H[T \J €] endowed with the function 
F just denned is denoted by < dl[F, c[ {]. Different choices of the sets € t will lead to isomorphic 
modules ^[F,Tl. If & is a subset of <5L[F,"{\ we denote by 9,[F,&] the smallest «tl-submodule of 
4R.[i r , c V] which contains & and is closed under application of F. 

To the numbers «],..., ur issued to the individuals 1 1 by Z in the credential 
mechanism, and to m \ , . . . , m„ , chosen by Z during the initialization of the credential mechan- 
ism, we associate formal variables U\, . . . ,U R , M], . . . ,M„, respectively. Also other formal 
variables Hi,..., Hj are introduced, which correspond to numbers chosen by the individuals 
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themselves. Let 

Q = {J- : a,bSZ, gcd(6,^(iV))= 1}, 

% = {U U . . .,U R ,M U . . . ,M„,H\, ■ ■ ■ ,H T ) , 
% = Q[F,%], 

where F is a formal one-way function as described above. 

F-homomorphisms as defined below establish a relationship between the pairs (2,F) and 
(Ztf,f). A mapping 4 1 '■ is called an F-homomorphism if it has the following properties: 

4* is a homomorphism with respect to multiplication; 
4iF{W))=fMW)) for We 2; 

a _ 

MW b )= j^(WT] fe for We<Z,a<=2.,bEZ withgcd(t,^))=l; 
4iU k )=u k iotk = \, ...,R, 4iMi) = mi for/ = l, . . . ,n. 
Thus an F-homomorphism is uniquely determined by its unages in //[,... , Hi- 

5.2. Computations on 2 

2 is closed under the following operations: multiplications, multiplicative inversions, applications 
of F, and taking roots, i.e. raising to powers a ~ 1 where a is an integer, coprime with <f>(iV). We 
shall endow 2 with a computational model, based on these operations, which is used in protocols 
of which (part of) the transmitted messages are elements of 2. 

A computation on 2 is a repeated application of multiplications, multiplicative inversions, 
and F, (but not taking roots), to elements of 2. If ^ C 2 then X e2 is said to be computable from 
if it can be obtained by applying a computation to elements of ^ . Thus the set of elements of 
2 computable from is equal to Z[F,<>i)]. By assumption, the elements of 
% = {U U . . . ,U R ,M\, ■ ■ ■ ,M n ,H\, ■ ■ ■ ,H T ] are computable. 

An extended computation on 2 is a repeated application of multiplications, multiplicative 
inversions, F, and also taking roots, to elements of 2. Each element of 2 can be obtained from 
X by extended computations. 

Consider a protocol in which 2 is (part of) the message space, such that each participant 
may apply all possible computations to the elements of % and to the messages which it received 
during an execution of the protocol, but only a few distinguished participants are allowed to do 
extended computations. Let a be a participant which is not allowed to do extended computa- 
tions, and let 6 D(</) be the stochastic set of elements of 2, received by a before /, which are not 
computable from %. Then at moment /, a can compute each element of the set 
Z[F, % [J C D(</)]. Obviously, this set is stochastic and might grow for increasing t. 

Let 4/ be an F-homomorphism, and let be a subset of 2, containing %. Suppose that 
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some participant a has received all messages in ) during the execution of some protocol, of 
which Z' N is (part of) the message space. If a can break RSA for the modulus N, then he can, in 
principle, compute 4{A ) for each A in 2. If a can not break this RSA-system then in principle 
he can still compute \p(A) for each A in 2 which is computable from "5), by applying multiplica- 
tions and multiplicative inversions in Z.* N and / to the elements of iK 6 !)). As far as we know, the 
following question — which should be stated more precisely — is still open: 

are there a modulus iV and a one-way function f:Z' N -^Z' N , such that for each F- 
homomorphism ^ and each A 'm% not computable from e Q, computing \p(A) from iK^D) is 
as difficult as breaking RSA for the modulus iV? 

5.3. The formal credential mechanism 

We shall use the same notation as in the previous sections. The formal credential mechanism will 
have the same set of participants P as the credential mechanism of §3, consisting of the signature 
authority Z, the organizations A x , . . . ,A L , the individuals ...,//;, the individuals' represen- 
tatives, the outside world E and the allocation center C. As before, the numbers «iV), 

c\ ck, a,pi, . . . ,p L , qi, . . . ,q L are pairwise coprime and p\, . . . ,q L are primes larger 

than 'An, where n >4 is the security parameter in the validating part. The message space M will 
be denned in the same way as in §3.5, except that l' N is replaced by 2. Thus M = M' (J M", 
where M' = nxNX 7 with Y =F + {%) \JF{{\, . . . ,n})(J {true, false} and M" is the set of 
messages sent or received by E and C. A ££ is said to be contained in a message m if 
m=( < 3 > ,r,y)GM' and A is an entry of ^. We say that participant a generates (sends, receives) 
A G2 in step r of 9 if a generates (sends, receives) the message {9 ,r,A). Again the time will be 
modelled as a set of discrete moments, T= {0, 1,2, ■ - • }. Again we put X=MXPXPX T. For 
each x=(m,«,j8,()£l, we let C(x) denote the set of elements of £ contained in m. In particu- 
lar, C(x)= 0 if m E.M". If a is a subset of X then we put C(a)- |J C(x). 

x £a 

We postulate that all participants of the credential mechanism can apply all computations 
to elements of % and elements of 2 which they received during an execution of (an attack on) 
the formal credential mechanism; only signature authority Z can do extended computations. The 
computational abilities of each participant a of the formal credential mechanism can be expressed 
in terms of its collection of choices B a (cf. §2.3). The outside world, allocation center and 
representadves will all have a unique choice, satisfying the same conditions as in §3.5. G z con- 
tains all choices satisfying property (2) with a = Z. (cf. §2.2). If aE{i u . . . ,i R ,A\ A L ) 

then G a contains all choices p a = {p a y.t >0) which have, apart from property (2) in §2.2, the fol- 
lowing restriction: if y £X(a,P, <t), x £X(P a ,a,<t) and j <=X(a,P,t) then p a ^(y,x,s) = 0 if 
C(s) contains elements from 2 which are not computable from the elements in C(y) |J C(x). 

The formal credential mechanism can be described in a similar way as the "real" credential 
mechanism of §3; only all numbers in Z /V appearing in the real credential mechanism are 
replaced by their inverse images under where \p is some F-homomorphism. The formal 
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credential mechanism will satisfy the conditions of §3.5 with % replacing Z' N . The only exception 
is made for the elements of % corresponding to the numbers r h si chosen in step 3 of some 
I(i k ,Aj): these will correspond to different elements of the set {Hi, . . . ,H T ) which need not be 
chosen by means of a uniform distribution. We notice that in particular, Z chooses the sets S in 
step 6 of each I(i k ,Aj) uniformly from the subsets of {1, ...,«} of cardinality l An and indepen- 
dently of the other steps executed at the same moment or before. 

Elements of 2, chosen or computed in the formal credential mechanism will be denoted in 
the same way as the corresponding messages in the real credential mechanism of §3.3, except that 
lower case characters appearing in the bases of the expressions in §3.3 are replaced by 
corresponding capitals, that / is replaced by F and that exponents b are replaced by b ~~ 1 . Apart 
from that, steps in the formal credential mechanism will be denoted in the same way as the 
corresponding steps in §3.3. Subprotocols in the formal credential mechanism will be given the 
same names as the corresponding subprotocols in the real credential mechanism. 

6. UNFORGEABILITY 

In this section we formulate analogues of properties 1,2 and 3 mentioned in §1.1 for the formal 
credential mechanism, give a theorem, stating that the probability that these properties do not 
hold is bounded above by a number which is exponentially small in the security parameter n 
appearing in step 3 of I{i k ,Aj), and give an example of an attack, showing that the upper bound 
in the theorem is optimal. 

6.1 . Statement of the result 

We shall use the same notation, and make the same assumptions, as in the previous sections. In 
particular, 2 will have the meaning of §5.1, <j>(N), Ci, . . . ,c#, a,p\, ■ ■ ■ ,pL, 9i.---.9x. 316 
pairwise coprime, and p \ , . . . , q L are primes larger than hn. We put bj =p]c \ • ■ ■ eg for 
j = 1, . . . ,L. For any PG2 and cGZ with gcd(c, <KiV)) = 1 we shall refer to P c as "credential 
c on pseudonym P". The same computational model for the formal module 2 as introduced in 
§5.1 will be used. 

Consider an attack & on the formal credential mechanism in which Z does not cheat. Let 
P be a pseudonym, used by some representative gj during an execution of &. We say that P is 
properly validated for organization A j during this execution if the following happens: 

• in step 2 of II(gj,Aj), gj sends P to Aj together with some message W P , and P=£Q and 
PWpt^QWq for each other pseudonym Q which was sent to Aj together with Wq at the same 
moment or before in step 2 of some other subprotocol II(g'j,Aj); 

• in step 5 of II(gj,Aj), gj sends V P ,T 2 p, . . ■ , T to Aj such that 

W>=n/>7^, V P =pP' 2 {FiP^flFiP^p)}^ '. 

1=2 1=2 
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There is nothing which prevents organizations from accepting pseudonyms which are not prop- 
erly validated. However, organizations accepting such pseudonyms will in the worst case only 
harm themselves, since Z is only willing to compute credentials on pseudonyms which are prop- 
erly validated, (cf. II(gj,Af) and step 4 of III(gj,Aj,c) in §3.3). 

We say that a set of pseudonyms, properly validated during an execution of &, has the 
unforgeability property if it satisfies the following three analogues of properties 1,2 and 3 of §1.1: 

• it can be partitioned in two ways: 

in I-sets each containing the pseudonyms used by the representatives of a fixed individual, 
and O-sets each containing the pseudonyms which have been properly validated for a fixed 
organization; 

• each I-set and each O-set have at most one pseudonym in common; 

• if P is a pseudonym, properly validated before moment t, and c a credential, then P c is 
computable from % and the set of elements of £ received by the individuals before 
moment t if and only if this set contains Q c where Q is a pseudonym belonging to the 
same I-set as P. 

The set of pseudonyms for the attack & is defined as the stochastic variable of which each 
value is the set of pseudonyms properly validated during an execution of &. Henceforth we shall 
implicitly assume, when speaking of an attack on the formal credential mechanism, that the 
choice of any participant a in this attack belongs to the collection Q a described in §5.3. The fol- 
lowing theorem is proved in §7. 

THEOREM 2. Let & be arty attack on the formal credential mechanism in which Z does not cheat 
(possibly the credential mechanism itself). Then the probability that the set of pseudonyms for & does 
not have the unforgeability property, is at most LRX(i"„) 

Remark 1. By Stirling' s formula, the upper bound mentioned in Theorem 2 is approximately 
equal to LR X( l Awn) Vl 2~'' . In the next subsection we shall describe an attack, showing that the 
upper bound for the probability in Theorem 2 can not be essentially improved. 

Remark 2. Each attack on the formal credential mechanism can be "translated" into an attack 
on the real credential mechanism of §3 by means of an F-homomorphism In fact, each attack 
on the real credential mechanism can be considered as such a translation, if values of z's, 
obtained during an execution of such an attack by other means than multiplications, multiplica- 
tive inversions or applications of / are assigned to iM-ffj), . . . ,<K#r)- 

As a consequence of the remark made at the end of §5.2 it is still unknown whether there is 
an attack on the real credential mechanism which gives individuals a chance considerably larger 
than LRX(i£„) of getting validators for a set of pseudonyms not having the properties 1,2 or 3 
mentioned in §1.1. 
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6.2. Attacks on the formal credential mechanism 

It will be proved in §7, that a set of pseudonyms, constructed as prescribed in the formal creden- 
tial mechanism, will have the unforgeabihty property. Therefore, individuals might only obtain a 
set of pseudonyms without the unforgeabihty property by means of some attack on the formal 
credential mechanism. We assume that Z is trusted by the organizations, whence that Z does not 
cheat in such an attack. The choices of the individuals in such an attack will have the constraints 
described in §5.3. 

Cheating individuals wil] only be able to compute a set of validators for a set of pseu- 
donyms without the unforgeabihty property if they succeed, by means of some attack, in getting 
elements of % from which these validators can be computed. There are two ways by which 
cheating individuals could get such elements. The first way is a kind of cooperation, in which 
each cheating individual sends all his received elements of % to the other cheating individuals. 
Such a cooperation can even take place with organizations. The second method by which a 
cheating individual i k may obtain appropriate elements of £ is by sending, in step 5 of some 
I(i k ,Aj), elements Ay (/ = 1, . . . , n) to Z which are not all computed in the way described in 
step 4. Since the set S , generated by Z in step 6, will be chosen uniformly from all subsets of 
{1, ...,»} of cardinality x hn, and independently of all what happened previously in the attack, i k 
may have a considerable chance of not being able to show all i?,,S/ to Z in step 8. Moreover, 
even if i k is able to show all these the probability that he will get a validator V kj - in step 1 1 

which is useful for his purposes, is in general quite small. 

An example of an attack. We shall describe an attack on the formal credential mechanism 
in which a single individual tries to obtain a validator for a pseudonym on which he can compute 
each credential he likes just by himself. In this attack he need not cooperate with other partici- 
pants of the credential mechanism. 

Let i k ,Aj be an individual and an organization and let gj be i k s representative communi- 
cating with Aj. Let a, pj, qj, C], . . . , c% have the same meaning as in §3.3, and put p ~Pj, q—<Ij> 
c —c\ ■ ■ • ck , b=p 2 c. Since gcd(/?,c)= 1 there are integers a,fi such that ap 2 +j8c = 1, which i k 
can compute easily by means of Euclid's algorithm. All steps we refer to will be in I(i k ,Aj). In 
step 3 i k chooses In elements Ri,S\ (7 = 1, . . . ,ri) of 2, as in the formal credential mechanism. 
In step 4 he computes 

A k i — F {U k - ap \M I R a l ) b )^ q for / = 1, . . . ,Vm, 
A k! :=F{U k {.M l Rf) b )S p , q for / = Vin + 1, . . . , n. 

i k is able to show Rj,S/ (I &S) to Z in step 8 which for all / in S satisfy the condition of step 9, if 
and only if Z chooses S = {}hn + 1, . . . , n } in step 6. The probability that Z chooses this set is 
(\" n ) . Provided that the check in step 9 gives the value 'true', Z sends to i k the validator 

-2 

V k] : = Ui {UA kl }W . 
1 = 1 
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By multiplying V kj with t/^ a (M,«f )* fJS/ \ and using that l-ap 2 -fic, i k obtains 

/ = i 

where 

U s =U k ' a P\M l R'{) b = ufr(M ,/??)* , 

r,=l, and T^MtRfiM^y 1 for/ = l, . . . . 

When g, sends U gj , W gj : = JJ U g . Tf, V gj , and 7/ (/ =2, . . . , to 4,- during H(gj,Aj), then ,4,- 

will accept U g . as a pseudonym. i k is now able to compute lf gj for each credential c, and show 
these to Aj even when no other organization has issued this credential to one of i k s representa- 
tives. Hence no set of pseudonyms containing U g can have the unforgeability property. We 
repeat that the probability of success for i k is at most (i" n ) . If all R individuals would try this 
attack for all L organizations, and if LR is small compared with (y?„), men me chance that at 
least one of the individuals is successful is approximately ZJ? X(i^) . This shows that Theorem 
2 is optimal. 

7. PROOF OF THEOREM 2 

In §7.1 we introduce some notation, needed in the proof of Theorem 2. In §7.2 we prove that a 
set of pseudonyms, constructed in the way prescribed in the formal credential mechanism, has the 
unforgeability property, and in §§7.3-7.5 we shall prove that whatever attack they try, individuals 
will have only a very small chance of being able to validate properly a pseudonym which is not 
of the form described in the formal credential mechanism. 

7.1 . Notation 

For any integral domain <Si with unity, we denote by (t = 1,2, ■ - ■ ) the 51 -module of f-tuples 
. . . ,x,) over «H, and by <Si x the Sl-module of infinite tuples (x\,X2, • • • ) over <& of which 
at most finitely entries are non-zero. The tuple of which all entries are 0, is in each module 
ft' (/ =00,1,2,...) denoted by 0. 

Let IM,Z,Q denote the set of positive integers, the set of all integers, and the set of rational 
numbers, respectively. For any c£IM, put 

Q e = {•£ : a,6eZ,gcd(6,otfA0)=l} • 

In particular, Q = Q i . If a,£GQ we write a=/J mod c if there is a yEQ c with a-p=yc. If 
a=(a 1 ,a 2 » " ' ' ) . b = (£i,6 2 , • ■ • ) GQ ! (/ S (oo, 1,2, • • ■ }) then we write a=b mod c if a,=Z>, 
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mod c for / = 1,2, 

We shall use the same notation as in the previous sections. In particular, we have 
Z=Q[F,%] = Q[% |J <3], where, similar to §5.1, 3C = {1/,, . . .,U R ,M\, ■ ■ ■ ,M n ,H\, ■ - • ,H T ) 
and «F is the set of images of F. Since f is enumerable we may write {F- [ ,F 1 ,F i , ■ ■ ■ }. Thus 
each element of % can be written as 

,=1 ;=i i=l i=l 
or, more compactly, as 

where 

x=(*i, . . . ,xji)6Q , y=(yi,>'2, • • • )6Q , 

~ n " T 

w=(w,, . . . ,w n )GQ , z=(z!, . . . ,z r )GQ , 
and U x , F y , M w and H z are abbreviations of 

ntf> n^> n<'. and n#r> 

i=l i=l i=l i=l 

respectively. 

Similar to the previous sections, Z denotes the signature authority, A i, . . . ,Al the organi- 
zations, and i \ , . . . , i R the individuals participating in the formal credential mechanism. As 
before, c i , . . . , c/c, a,p\,... ,pi, q\, . . . ,qi are positive integers which are pairwise coprime, 
and coprime with <KiV), and p i , . . . , are primes larger than Vw. From now on we assume, 
when referring to the formal credential mechanism, that it is modified in the following way: 
whenever Z or some representative must send an element of % to some individual, then it sends it 
to all individuals. Thus all individuals will have exactly the same computational abilities in %. It 
is obviously sufficient to prove Theorem 2 for this modified formal credential mechanism. 

We say that X E.% is computable by the individuals, or that the individuals can compute X, 
at moment / if X is computable from 3C and the elements of £ received by the individuals before 
moment t during an execution of an attack on the formal credential mechanism. By saying that 
the individuals can compute X before moment oo we mean that there is a moment at which the 
individuals can compute X. We shall need the following obvious but important fact: if 
% = { W\ , . . . , W s } is a subset of 2 containing %, then each element of % which is computable 
from % can be written in the form 

n^'fc' (20) 

/=i /=i 

where the m, and y t are all integers such that at most finitely many of the are non-zero, and 
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y t =0 if Fj =F(X) and X is not computable from %. 

7.2. Proof of unforgeability if pseudonyms are properly formed 

If P is a pseudonym, used by some representative gj, which has been properly validated for some 
organization Aj, then t P denotes the moment at which the validation of this pseudonym was com- 
pleted, that is the moment at which step 5 of II(gj,Aj) was executed. 

Consider an execution of some attack in the formal credential mechanism and suppose that 
the set of pseudonyms properly validated during this attack, S say, has the following properties: 

• for each PG&, there are a pair (kj) with 1 </c «S,R, 1 and Rkj&'S, such that 

P = U/cR^j and the individuals can compute R k j at moment tp; (21) 

• for each pair (k,j) with 1 < k 1 < j <L there is at most one pseudonym P in S satisfying 
(21). 

Then we have 

Lemma 3. S has the unforgeability property. 

Proof. Define the I-sets 1^ , . . . , I R and O-sets 0\, . . . ,Ol such that the pseudonym in & 
which satisfies (21) belongs to 1^ and Oj. Then each I-set and each O-set have at most one pseu- 
donym in common. Let c be a credential, P a pseudonym in /] which has been validated before 
moment r, and suppose that the set consisting of % and the elements of £ received by the indivi- 
duals before moment t, does not contain any Q c with Q&1\. We shall prove that the indivi- 
duals can not compute P c at moment /. By repeating the same argument for the other I-sets, 
one proves that £ has the unforgeability property. 

Let 

§ = {U x FyM v H z : x=( Xu . . . ,x R )EQ X ,x,gQ n yeQ x ,w£Q",z£Q 7 '} 

and ^(u) the set of elements of % computable by the individuals at moment u for each moment 
u. We shall prove that ^(tjCS. Obviously, fi D(0) = Z[F,3C] is contained in 9. For each u with 
Ku<( we show that ^(u — 1)C@ implies €>(«)C§. Then it follows by induction on u that 

6 D(r)c@. 

Fix u with Ku=S/. To establish our induction step, we have to consider the set of ele- 
ments of % received by the individuals at moment u — 1. This set consists of either credentials on 
pseudonyms or validators. Suppose that some individual receives a validator at moment u — 1 . 
This validator is a pjqj-th root on some element of <"D(« —2). Since 9 is closed under exponentia- 
tion with numbers in Q c , this shows that this validator belongs to S. By a similar argument it 

follows that credentials =?tc on pseudonyms received by some individual at moment u must 

- 1 

belong to 3 . Suppose that at moment u — 1 some credential Q c on a pseudonym Q has been 
received by some individual. Then by assumption, Q must belong to one of the sets I k with 
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k > 1. Moreover, Q must have been properly validated before moment u — 1. Hence by (21), Q 
can be written as U^R^j for some k > 1 and j and some jR^- in ^D(u —2). Since c divides bj, this 
shows that £? c G§. We infer that all elements of %, received by the individuals at moment 
u — 1 belong to § . But since <? is closed under computations, this proves that ^(u) is contained 



We shall now show that P c gg. Assume the contrary. By (21) and the fact that P has 
been properly validated before moment t, there are j and R y £3)(r) such that P = U\R b \'j. Since 
c divides bj this implies that U\ belongs to ^(t), whence to 3, which is false. Hence our 
assumption must have been wrong. This completes the proof of Lemma 3. □ 

Roughly speaking, Lemma 3 proves that any set of pseudonyms having the form prescribed 
in the formal credential mechanism, must have the unforgeability property. In order to prove 
Theorem 2, it is therefore sufficient to show that the probability that individuals are able to vali- 
date properly pseudonyms which are not of the required form is very small. We shall state this 
more precisely. 

By an Aj-validator for a pseudonym P we shall mean a tuple 

Vj{P)—(Vp,Wp,T2p, ■ ■ ■ ,Ti^p), 
of elements in 2 such that 



V P =P p > 



Vin 

F{P)HF{pr lP ) 

1 = 2 



™ h 



1 = 2 



(22) 



where Pj,qj,bj have the same meaning as before. If P has been properly validated for Aj then Aj 
has received an /l, -validator for P. Two /*, -validators Vj(P^)=(V Pi , W P) , r^p, , ■ ■ ■ » T'/m,?, ) 
and Vj{P 1 )={Vp 2 ,Wp 2 ,T 2l p 1 , . . . , T^p 2 ) for pseudonyms ?i and Pi, respectively, are called 
equivalent if, after reordering, the tuples {P \,P \T b -lp i , - . . ,P\T^ in _p i ) and 
(P 2 ,P 2 T^ iPi , • • ■ .J* 2 7^,^) are equal. (Loosely speaking this means that that the products of 
the F-values appearing in V P) and V Pi , respectively, are equal). Note that in none of these 
tuples, the entries need be distinct. If the validators Vj{P\) and Vj(Pj) are equivalent, then 
P i W Pi = P 2 W Pl . Hence any two pseudonyms which have been properly validated for Aj must 
have been shown to Aj together with inequivalent validators. 

For each attack on the formal credential mechanism, and each y in {1, . . . , Z.}, the follow- 
ing events are defined: 

E\j\ in some execution, there is a pseudonym P in £, properly validated for Aj, such that none 
of the roots (PU^^f' can be computed by the individuals at moment t P , for k = 1, . . . ,R- 

E 2 y. in some execution, there is a moment / at which the individuals can compute: two pseu- 
donyms P, and P 2 ; the fy-th root of their quotient, (PiP 2 ] )* ; ; tw0 '"equivalent Aj- 
validators Vj(Pi) and Vj{P 2 ) for Pi and P 2 respectively. 

Informally, Ey is the event, that a pseudonym, properly validated for Aj, is not of the form 
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prescribed in the credential mechanism, and Ey is the event that two "similar'' pseudonyms have 
been properly validated with "non-similar" validators. 

Suppose that in some execution of an attack on the formal credential mechanism, none of 
the events Ey, £2/ 0 takes place. Let S be the set of properly validated pseudonyms in 
this execution. Then each pseudonym in & must satisfy (21) for some pair (k,j), since none of 
the events Ey takes place. Moreover, no two pseudonyms in S can satisfy (21) for the same pair 
(k,j). For if two pseudonyms, P\, P2 say, in &, would have satisfied (21) for the same pair (k,j), 
then at some moment 1 the individuals would have been able to compute Pi, Pj and 
(P l Pi i ) b ' . But since none of the events Ey was supposed to take place, the validators for P\ 
and Pi must be equivalent, which contradicts the fact that these pseudonyms have been properly 
validated. 

Together with Lemma 3 this implies the following: the probability that the set of pseu- 
donyms for (an attack on) the formal credential mechanism does not have the unforgeability pro- 
perty is at most equal to the probability of event £ u U ^ 12 U ' ' ' \JE\l\JEil- Theorem 3 
states, in a more precise form, that this event has probability at most LRX(i"„) . This implies 
Theorem 2 at once. 

THEOREM 3. For each attack on the formal credential mechanism in which Z does not cheat, we 
have 

PrlEij^RXi&V 1 andPr[E 2j ]=Qforj = l,.. . ,L. 
7.3. Preliminaries to the proof of Theorem 3 

We shall use the same notation as in the previous sections. In particular, i\, . . . ,iR will be the 
individuals participating in the credential mechanism. We fixy'in{l,...,L} and put p—Pj, 
q =qj and b =bj. As mentioned before, each element of 2 can be expressed as a finite product 
of powers of which the bases belong to % [J W and the exponents to Q. We shall show, that any 
condition that the individuals can ever compute certain elements of % can be expressed as the 
solvability of some system of linear equations modulo p 2 q of which some of the coefficients are 
stochastic variables and the unknowns belong to Q. 

Consider an attack on the formal credential mechanism, and denote the changed version of 
I(ik,Aj) in this attack also by I(i k ,Aj). In step 5 of I{i k ,Aj), i k sends elements A ki (l = \, . . . ,n) 
to Z, which might have been computed in an other way than described in the formal credential 
mechanism, and might have been chosen by means of a probability distribution depending on all 
steps previously executed in which some individual was involved. In step 6, Z chooses a set 
(which is now indexed in order to distinguish sets S generated in different I(i k ,Aj)), by means of 
a probability distribution which is uniform on the collection of subsets of {1, ... ,n] of cardinal- 
ity Vm, and independent of all other steps executed at the same moment or before in the creden- 
tial mechanism. In step 8, i k has to send Ri,S t to Z for each / in % k such that 
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A u = F(U k (MiRf) b )S^ '. If Z concludes in step 9 that indeed i k constructed each A kl with / eS* 
in the proper way, then he sends in step 11, 

to i k . 

From now on, we exclude attacks useless to the individuals in which some security check by 
Z in I{i k ,Aj) other than that in step 9 is 'false', or that i k , while knowing the correct jR/,S/ for 
some / in S k in step 8, sends false R/ or St to Z. 

For each A:in{l,...,i?}we introduce the following notation: 

Ik 



Y k =U A M 



lf k (Y k {HF(U k (M,Rff)~ l p 



where & = 1 if the check in step 9 of I(i k ,Aj) gave the value 'true' and £ k =0 otherwise. Hence if 
the check in step 9 did not fail, V k is equal to V kj TJ 5;, whereas V kj = 1 if this check failed. We 

notice, that Y k is controlled completely by i k ; it is independent of S*.. We assume from now on 
that i k receives V k from Z instead of V kJ in step 1 1, for k = 1, . . . , R. This does not change the 
computational abilities of the individuals. 

Let t k be the moment at which step 1 1 of I(i k ,Aj) is executed, that is the moment at which 
i k (and so the other individuals) receives V k from Z. We shall derive the upper bounds in 
Theorem 3 subject to the condition that 

fi<r 2 < • • - (23) 
By repeating the argument for each other possible order of the t k s, one can prove Theorem 3. 

Henceforth we shall assume (23). Each i k sends A k \, . . . ,Aia, to % before moment t k . 
Hence for k = 1, . . . ,R, the individuals can compute Y k before they receive V k , . . . , V R . In 
view of (20), the Y k 's have the form 

Yi = U x 'F y 'M w ' H*' , 

* x (24) 

Y k = v\" ■•■ Vt'lf U^F^M^H^toT k=2,...,R, 

where S lk , . . . ,8 fc _ ljt 6Q fl , x* eQ^, y k gq",, W* <=Q pr z k eQ^. Apart from V u . . . ,V R , 
individuals may receive validators for other organizations, or credentials on pseudonyms, which 
are all d-th roots on messages previously computable by the individuals, where d is a positive 
integer coprime with pq. We took this into consideration by allowing that the coefficients in (24) 
belong to Q pq rather than 2. 

For k = 1, . . . ,R, let S*. be the set of positive integers j such that Fj=F(U k (MiRff) for 
some R) sent by i k to Z in step 8 of I(i k ,Aj), and define e(3"i)eQ°° by 
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/es t 



Moreover, d k SQ R denotes the vector of which the /fc-th coordinate is 1, and the other coordi- 
nates are 0. With this notation we have 



Vk — [U^ [Y k F-™}™~ , f t0 ck=2, ...,R. 



(25) 



The following lemma is crucial in the proof of Theorem 3. 

Lemma 4. Consider an execution of some attack on the formal credential mechanism in which 
Y\, . . . , Yr satisfy (24) and V\, . . . , Vr satisfy (25). Suppose that at a moment <f/i + i (where 
h G { 1, . . . , R } and t R + l : = oo), the individuals can compute U u F f M m H b G 2, where u G Q , 

~ oo — ?! " T " 

fGQ , mGQ andhE:Q . Then there are m\, ... ,m h GQ such that 
h 

2 m A(Ak +pq ~ 1 x*)=D 2 u mod p 2 , (26) 
t = i 

h 

2 m k$.kl3k-*^ki) = pqf mod p , (27) 

k = \ 
h 

2 "»*&(y* -e(5 fe )) = pqt mod q . (28) 

k = l 

Moreover, if p*u£Q p , thenm^,. .. ,mf,ih belong to Q p . 

Proof. By (21) there are n u . . . ,n h SQ W , a6Q*, bGQ^, c6Q^ and dGQj ? such that 

U"F { M m H b = v"i' ■ ■ ■ K" U*F b M c H' s . (29) 
For k =1, . . . ,R, put 

Wk = U P k~ 2 ^F^'^M^H 1 ^" ■ (30) 
Then by (24) and (25), 

<Plf' 



W^ = Vk 



Using these relationships, it is possible to express each V k as a product of powers of 
wf , • • • ,Wk, 

in which the exponents belong to Q and may have denominators divisible by p or 
q . Together with (29) this shows that there are m j , . . . , m h in Q such that 

U"F ( M m H b = W?' ( ' - - - WZ >L U*F b M c H li . 
By combining this with (30) and equating the exponents of U and F, we obtain 
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2 m kik(p 2 dk+(pq) + a = u , 

k = l 

h t 

2 r"kik(pqy 1 (J k -<(?k)) +b = f . 

Jfc = I 

(We shall not need the relationships coming from the exponents of M and //). Now we obtain 
(26) by multiplying the first equation with p 2 and reducing it modulo p 2 , and (27), (28) by multi- 
plying the second equation with pq and reducing it modulo p and q, respectively. 

Suppose that p 2 uGQ p , and that not all numbers with KKA belong to Q^,. Then 
there is an integer d, divisible by p, such that all numbers dm^ are integers and at least one of 
them is not divisible by p. But by multiplying (26) with d and reducing it modulo p, we obtain 

h 

2 dm k£k&k= 0 mod p , 

k = \ 

whence dm k £ k =Q mod p for k = 1, . . . ,h. This contradiction shows that all m k ^. must belong 

7 - R 

to Q p if p uGQ p . This completes the proof of Lemma 4. □ 

The following consequence of Lemma 4 will be useful. 

Lemma 5. Let f GZ°° and st4ppose that all coordinates of f have absolute values smaller than p. If 
there is a moment at which the individuals can compute F^" 1 ^ f , then f=0. 

Proof. Suppose that at some moment, the individuals can compute F^^ f . Then by Lemma 4, 
eq. (26), there aie m } , . . . ,m R , with miJi mr£r £Q p , such that 

R 

2 m kik($k +pq ~ 1 x<t)=0 mod p 2 . 
k = i 

By reducing this equation modulo p, and using that q is coprime with p, we obtain m k i- k =0 mod 
p for k = 1, . . . , R. A substitution of this into (27) yields that feO mod p. But since by assump- 
tion, the absolute values of the coordinates of f are smaller than p this proves Lemma 5. □ 

7.4. Proof of Pr[E 2j ] = Q 

Consider an execution of some attack on the formal credential mechanism in which Z does not 
cheat. Suppose that in this execution there is a moment t at which the individuals can compute 
pseudonyms P\,P 2 , the £>-th root of their quotient (P,? 2 " 1 )* and ^-validators Vj(P i),Vj(P 2 ) 
for P] and P 2 respectively, where 

) = ( Vp. , Wp , T 2 p , . . . , 7V/.) for i = 1.2. 
We have to prove that Vj(P x ) and Vj(P 2 ) are equivalent. 
Put T X Pt = T X p 2 = 1 and let l(j)eQ°° be denned by 
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i = i 

for / = 1,2. Then 

for i =1,2. At moment t the individuals can compute 

(P 2 Pi 1 ) b " V,, Vp 2 l = /V?f '(KD-flP)) . 

For / = 1,2 the coordinates of f(7) are non-negative integers of which the sum is equal to Vin. 
Moreover, we assumed that p > l hn. Hence the coordinates of f(l)— f(2) have absolute values less 
than p. Together with Lemma 5 this shows that f(l)=f(2). But this means exactly that Vj(P\) 
and Vj(P 2 ) are equivalent. □ 

7.5. Proof of Pr[£ ly ]<J?x( V4 n „ 

Consider an attack & on the credential mechanism in which Z does not cheat, and suppose that 
during some execution of & a pseudonym P is properly validated at a moment t P , at which none 
of the 6-th roots (PU k ) (k = \, . . . ,R) is computable by the individuals. We have to prove 
that this can happen with probability at most R X(^) . In the proof of this fact we need 
some further notation which is introduced below. 

We recall that t k is the moment at which step 11 of I(i k Aj) is executed, and that 
A k i , . . . ,Akn are the numbers which i k sent to Z in step 5 of I(i k ,Aj). We define s k as the 
moment at which step 8 of I(i k ,Aj) is executed, that is the moment at which i k shows Ri and 5/ 
to Z for / eS^. The stochastic partial function f k -{l, ■ ■ ■ is defined as follows: if at 

moment s k the individuals can compute R h Si such that A kt - F(U k {MiR t }) b )S p i q then we put 
/*(0 = j, where j is the positive integer determined by Fj = F(U k (MiRf) b ). If the individuals can 
not compute such Ri and 5; then we do not define f k (l). f k is well-defined, that is at moment s k 
the individuals can compute at most one pair for each A kl . For suppose that at moment 

s k the individuals can compute Ri^Sy and Jly.Sy A u~F\ S\1=F 2 S%j, where 
F, —F(U k (MiRfi) b ) for /' = 1,2. Then at moment s k the individuals can compute 
(F\Fi l ) tj " i ^ =5'i/5'2/ 1 . By applying Lemma 5 we obtain F^—Fi, whence R\i—Rn, Su — S2i> 
as required. 

In the first step of the proof we show that/ fc is injective. Suppose that/t is defined in both 
/ and m, where / and m are distinct integers in {1, ... ,«}, and that f k (l)—f k (m). Then at 
moment s k the individuals can compute i?/ and R m such that U k (MiRff = U k (M m R a m ) b . But this 
implies that (Af/A/^ 1 f =R t R~ l . Hence the individuals can compute (M;M^ 1 f at moment 
s k . But this is impossible. For since all elements of £ received by the individuals are of the form 
D e , where D was computable by the individuals before this message was received and e is an 
integer coprime with a, all elements of 2 ever computable by the individuals must be of the form 
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U a F { M m H h , where all coordinates of u, f, m and h have denominators coprime with a. 

In the second step of the proof we show that for k = 1, . . . ,R, S k is statistically indepen- 
dent of x ; , yj and fj for K;'<i and S>j for Kj<k. The steps in a subprotocol are executed at 
consecutive moments. In particular, Z chooses $ k at moment ^ — 2, uniformly from the collec- 
tion of subsets of {1, ... ,/i } of cardinality l An, and independently of the steps executed at or 
before moment — 2. Together with (23), this proves that § k is independent of xy and y y for 
\<j<k and S ; - for K;'<i. By definition, the set of elements of % which is computable by the 
individuals at moment s k is equal to the set of elements of % which is computable from % and 
the elements of £ received by the individuals before moment s k . The elements of £ sent to the 
individuals at moment — 1 are all roots of elements of Z which were computable by the indivi- 
duals at moment s k — 2. Hence the partial function fa is completely determined by the set of 
messages executed at or before moment s k — 2. This proves that is also independent of 
f\, ■ ■ ■ ,fa- 

For k = l, . . . ,R we put s Hk=fa({h ■ ■ • ,«}). and ^=^1 (J • ■ • \jt k . 11 is easv to 
check that 5* = fa(S k ), where 9* is the set defined in (25). From the injectivity of fa it follows 
that & = 1 (the check in step 9 of / (i k ,Aj ) does not fail) if and only if # ST* = 'An and that the 
vector eC5fc)> defined in (25), is equal to (ei,e 2 > ' ' " ), where e ; = l if j GS* and e,-=0 otherwise. 
If St is some integral domain, % a finite subset of N, and y=(yi,)>2> • • • )GSl C0 , then we denote 
by y(%) the tuple (y\,yz, ■ ■ ■ ) with 7, =/, if z'G<$L and j> ; =0 otherwise. 

In the third step of the proof we shall show that there exist an integer T with l^T<,R and 
integers m k for \<k<T such that m k £ k is not divisible by q for at least one k in {1, . . . , T) and 

r 

2m*&<y*CW r )-e(?r t )) = 0mod 9 . (31) 

k = l 

Let F / (i > )=(7 P , W0>,r 2 i>, . . . , T^p) be an ^-vahdator for P, let be the set of integers j such 
that F j =F{PT b w ) for some / in (1, . . . ,V4«}, where 7* 1P = I. Define the vector f(f)eQ°° by 

'/in 

1 = 1 

Since gcd(/>,<jr) = 1, there are rational integers a, ft with ap+fiq=l. It follows (cf (22)) that 

V-_—Ft ' f < 5 ') = ( yp p 2 p ~ ] )" 

can be computed by the individuals at moment t P . By Lemma 4, eq. (28), with h—R, there are 
m 1 ,rh R GQ such that 

R 

2 ™k£k(yk ~e^Jk))^pf(.^) mod q . (32) 
Jk = 1 

Since p and q are distinct primes larger than Vm and the coordinates of f(3") are non-negative and 
have sum Vm, not all m k £ k are integers divisible by q. Let T be the smallest integer with 
l^T^R such that (32) is solvable with m k £ k =0 mod q for £>r. Then 
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T 

2 nkiktik - eC5 k )-m>f(T) mod q , (33) 
t = i 

and rhrir IS not divisible by q. By Lemma 4 with h=T, Vis not computable by the individuals 
before moment t T , so definitely not at moment St- But since the individuals can compute V at 
moment tp, we have 

s T <t P . (34) 

If the sets r and ?F would have an element in common, then the individuals were able to com- 
pute i?i and R 2 at moment s T such that U k R.\ -PR\ for some k<T. Together with (34) this 
would imply that before moment t P the individuals can compute (PU k 1 ) b , which is against our 
assumption. Hence % T (~\5 = 0. By applying this to (33), using that the coordinates of f(?T) are 
0 on the places outside 5" and considering only the coordinates of both sides of (33) on the places 
in the set T , and multiplying each m k with d, where d is the smallest positive integer d such 
that all dm k are integers for k — 1, . . . , T, we obtain that (31) is satisfied with m k :=dm k for 
KfcsST, and that m k £ k is not divisible by q for at least one k in {1, . . . , T). 

In the fourth step we shall prove that 

%f|*i=0 for Kj <h<R . (35) 

Assume that (35) is false and let /' and h be integers with Ki<h<R such that and %/, have 
an element in common. Then at moment Sf, the individuals can compute R \ and R j such that 
V-,R b \ =UhRi- But this implies that at moment S/,, so definitely before moment fy, they can com- 
pute U p ' di d *\ Together with Lemma 4 this shows that there are m [ , . . . , nth - \ in Q^, with 

h-\ 

2 ™ k £ k (d k +pq- l x k ) = d,-d A mod/* 2 . 

;t = i 

By comparing the /i-th coordinates on both sides of this equation and reducing them modulo p, 
we obtain that 0= — 1 mod p, which is impossible. Hence our assumption that (35) is false was 
wrong. 

Our assertion that Pr[E X j]^R X.(i" n ) ' follows at once by combining the results of the 
previous four steps with Lemma 6 below with K = GF(q). 

Lemma 6. Let K be a field and let y i , . . . , y«, f\, ■ ■ ■ ,/r, S i , ■ ■ ■ , S r be stochastic variables, 
defined on the same probability space, such that 
yi, . . . ,y« assume there values in K™; 

/i , . . . ,/r are injective partial functions : { 1, . . . ,n}— such that the sets = /t({l, •-•>«}) 

are pairwise disjoint; 

§1, . . . ,§r are subsets of {1, . . . ,ri); 

for each k, the distribution of% k is uniform on the collection of subsets of { 1, . . . , n) of cardinality 
'An and independent of y k ,f k and yj,fj,Sj for Ky'<fc 
Fork = \,.. . ,R, fef i !tf fc = %, U ■ ' ' U^t' $k=fk$k\ 
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& = 1 if # (9"*) = Vin and = 0 otherwise, 

and e(5 k ) GK m the vector of which the coordinates are 1 on the places in 5 k and 0 on the places 
outside S*. 

For T -\, . . . ,R, let X T be the event that there are m x ,. . . ,m T SK such that m^^O for at 
least one k with Kk<T and 

T 

2 ^4(y*(«r)-e(^)) =0 . (36) 

* = 1 

Then 

Proof. For T = 1, . . . ,R let Xj- the event that X T does not take place. It suffices to prove that 

JVtffiMv&r 1 andPrtXrn^r-iKU"*) -1 for T = 2, . . . (37) 
since 

JM*i U • • • \jx R \<p r [xd+ 2 ^rn4-iJ. 

r=2 

We shall prove (37) only for T> 1; the argument for 7" = 1 is even easier and is therefore 
omitted. Fix T in {2, . . . , R } and denote by W the stochastic tuple consisting of y y , fj(j < 7") 
and Sj(j<T). Let £ be the set of values for W for which (36) has a non-trivial solution (i.e. a 
solution with m k £ k ^Q for at least one k in { 1, . . . , T}) but the system 

r-i 

2 m ktk(yd e l£ T - l )-e(5 k )) =0 in m u m T -^K (38) 

k = 1 

has only solutions with m k £ k = 0 for k — 1, . . . , T - 1. Fix w in £ and denote the entries of w by 
yy.// (K/^^O and S y (1<;'<T). Let m u . . . ,w r be a non-trivial solution of (36). By (38), 
mj^j is non-zero. Hence ^Lj- has cardinality at least Vin. Moreover, there are 
m'\, . . . ,m'r-] EA'such that 

r-i 

2 ^'k^(yk(^r)~e{5 k )) = yrCWrt-^r) . (39) 
= i 

By combining this with the fact that the sets 6 lL k are pairwise disjoint, and considering only the 
coordinates on the places in ^l$ , 7 -_], we obtain 

r-i 

2 «'*&(yfc( < ^7--i)-e(5" fc )) = yr^r-i) . (40) 

* = i 

If (40) could be satisfied by two different tuples (m'^: k = 1, . . . , T - 1), then a subtraction of 
these tuples would yield a non-trivial solution of (38) which does not exist by assumption. Hence 
"i'i£i> • • • .w'r-ifr-i are uniquely determined by (40). But this implies that the set 5Y is 
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uniquely determined by (39). By using that f k is injective, we obtain that S T is uniquely deter- 
mined by (39). But % T is uniformly distributed on the collection of (^) subsets of {1, . . . ,»} 
of cardinality Vin, and independently of W. Hence Pr[X T \ W = w]<(i£,) ' for each w G&. 
Therefore 

Pr[X T r\Xr-i] = 2Pr[X T ,W = w]= 2 | W = w]PriW = w]<(&)~ 1 . 

This proves (37). □ 

8. POSSIBLE EXTENSIONS 

In this section we briefly mention some extensions of the credential mechanism presented in this 
paper. 

An advantage of this credential mechanism is its flexibility. It has only one major restric- 
tion: the set of credentials must be public and fixed before validators are issued, and the amount 
of computation required also depends linearly on the cardinality of this set. A credential 
mechanism presented in [Ch 84], which is a variant of that considered here, solves these problems 
in a natural way. For that mechanism, it is possible to prove an analogue of Theorem 2. A 
result as strong as Theorem 1 does not hold, but instead one can prove that in essence almost no 
information about the relationship between pseudonyms used with different organizations is 
revealed. 

We also considered a variation on the credential mechanism that differs mainly in that the 
validators shown to the organizations are just RSA-signatures on products of the values of the 
one-way function. For this variation we were able to prove an analogue of Theorem 2 which is 
not quite as tight as the result in this paper. This variation has the advantage that it can be 
easily extended — without loss of security for the organizations or privacy of the individuals — to a 
credential mechanism in which each I-set and O-set can have a restricted number of pseudonyms 
in common which may be larger than 1 . Such an extension may be useful in practice. 

In [Ch 84], several ways were presented to build more elaborate and potentially useful 
structures from these basic credential mechanisms, but the security of such constructions is as yet 
unproved. 
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ABSTRACT 



Under the assumption that encryption functions exist, we show that 
all languages in NP possess zero-knowledge proofs. 

That is, it is possible to demonstrate that a CNF formula is satisfiable without revealing 
any other property of the formula. In particular, without yielding neither a satisfying 
assignment nor weaker properties such as whether there is a satisfying assignment in 
which Xi=TRUE , or whether there is a satisfying assignment in which x±=x$ etc. 

The above result allows us to prove two fundamental theorems in the field of (two- 
party and multi-party) cryptographic protocols. These theorems yield automatic and 
efficient transformations that, given a protocol that is correct with respect to an 
extremely weak adversary, output a protocol correct in the most adversarial scenario. 
Thus, these theorems imply powerful methodologies for developing two-party and multi- 
party cryptographic protocols. 



1. INTRODUCTION 

A fundamental measure proposed by Goldwasser, Micali and Rackoff [GMR] is that 
of the amount of knowledge released during an interactive proof. Informally, an interac- 
tive proof is a two-party protocol through which one party (the prover) can convince his 
counterparts (the verifier) in the validity of some statement concerning a common input. 
(The prover should be able to do so if and only if the statement is indeed valid.) Loosely 
speaking, an interactive proof system is called zero-knowledge if whatever the verifier 
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could generate in polynomial-time after interacting with the prover, he could also gen- 
erate in polynomial-time when just told by a trusted oracle that the assertion is indeed 
valid. In other words, zero-knowledge proofs have the remarkable property of being 
both convincing and yielding nothing except that the assertion is indeed valid. 

Despite their importance, very few examples of (non-trivial *) zero-knowledge proofs 
have been known until recently. Furthermore, all previously known proofs were of 
languages in NP fl Co -NP and heavily relied on special "symmetric" properties of 
"Number Theoretic" languages. The much more general potential offered by the notion 
of zero-knowledge proofs has remained immaterialized. 

In this extended abstract, we first show how to construct zero-knowledge interac- 
tive proofs for every language in NP. This yields an extremely powerful cryptographic 
tool: the ability to prove any NP statement in a zero-knowledge manner. In particular, 
the generality of this tool allows an untrusted party to prove that he is behaving accord- 
ing to a predetermined protocol, without yielding any of his secrets. We example the 
power of this tool by three concrete applications. However, the general effect of this 
result is demonstrated in its generic application as part of a compiler which translates 
protocols operating in a weak adversary model to protocols which achieve the same goals 
in the most adversarial environment. 

1.1 What is an interactive proof system 

It is traditional to view NP as the class of languages whose elements posses short 
proofs of membership. A "proof that x ElL" is a witness w x such that P L {x ,w x )=\, 
where Pi is a polynomial-time computable Boolean predicate associated to the language 
L such that P L (x ,y )=0 for all y if X is not in L . The witness must have length poly- 
nomial in the length of the input x , but needs not be computable from x in polynomial 
time. A slightly different point of view is to consider NP as the class of languages L for 
which a powerful prover may prove membership in L to polynomial-time deterministic 
verifiers. The interaction between the prover and the verifier, in this case, is trivial: the 
prover sends a witness ("proof) and the verifier computes for polynomial time to verify 
that it is indeed a proof. 

This formalism was recently generalized by allowing more complex interaction 
between the prover and the verifier and by allowing the verifier to toss coins and to be 
convinced by overwhelming statistical evidence [GMR, B]. The motivation of 
Goldwasser, Micali and Rackoff for this generalization was to consider the most general 
manner in which one party can prove theorems to another party, and to study the 
"amount of knowledge revealed in such interactions" [GMR]. This generalization is cru- 
cial for establishing the non- triviality of the notion of zero-knowledge proofs (see 
Remarks 4 and 5). 



l) All languages in BPP have trivial zero-knowledge proofs, in which the prover tells the verifier 
nothing; the verifier can test membership in BPP languages by himself. 
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An interactive proof system for a language L is a protocol (i.e. a pair of local pro- 
grams) for two probabilistic interactive machines called the prover and the verifier. We 
denote these predetermined programs by P and V , respectively. Initially both machine 
have access to a common input tape. The two machines send messages to one another 
through two communication tapes. Each machine only sees its own tapes, the common 
input tape and the communication tapes. In particular, it follows that one machine can- 
not monitor the internal computation of the other machine nor read the other's coin 
tosses, current state, program etc. The verifier is bounded to a number of steps which is 
polynomial in the length of the common input, after which he stops either in an accept 
state or in a reject state. At this point we put no restrictions on the local computation 
conducted by the prover. 

We require that, whenever the verifier is following his predetermined program V, the 
following two conditions hold: 

1) Completeness of the interactive proof system: If the common input x is in L and 
the prover runs his predetermined program P , then the verifier accepts x with pro- 
bability > 1- | x | ~ c , for every constant c >0. In other words, the prover can 
convince the verifier that x G L . 

2) Validity of the interactive proof system: If the common input x is NOT in L , then 
for every program P' run by the prover the verifier rejects x with probability > 
1- | z | ~° , for every constant c >0. In other words, the prover cannot fool the 
verifier. 

Remark 1: Note that it does not suffice to require that the verifier cannot be fooled by 
the predetermined prover P (such a mild condition would have presupposed that the 
"prover" is trusted by the verifier). We require that no matter how the prover plays, he 
will fail to "prove" incorrect statements. 

Remark 2: As is the case with NP, the conditions imposed on acceptance and rejection 
are not symmetric. Therefore the existence of an interactive proof for the language L 
does not imply its existence for the complement of L . 

Remark 3: The above "definition" follows the one of Goldwasser, Micali and Rackoff 
[GMR]. A different definition due to Babai [B], restricts the verifier's actions to generat- 
ing random strings, sending them to the prover, and evaluating a deterministic 
polynomial-time predicate at the end of the interaction. In other words, in Babai's 
framework the coin tosses are public, while in the more general definition of [GMR] the 
verifier may use a private coin (the output of which may not be revealed to the prover). 
Designing proof systems seems to be much simpler in the [GMR] model, but making 
statements about them seems easier if one restricts oneself to Babai's model. Surpris- 
ingly, the two models are equivalent as far as language recognition is concerned [GS]. 
Remark 4: The ability to toss coins is crucial to the non-triviality of the notion of an 
interactive proof system. Suppose that a language L has an interactive proof system in 
which the verifier does not toss coins. Then, without loss of generality, this proof system 
is a trivial one: The prover just guesses the legal conversation, sends it to the verifier 
which just verifies its validity in deterministic polynomial- time. (It follows that 
L €NP.) 
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1.2 What is a zero-knowledge proof 

Intuitively, a zero-knowledge proof is a proof which yields nothing but its validity. 
This means that for all practical purposes, "whatever" can be done after interacting 
with a zero-knowledge prover, can be done when just believing that the assertion he 
claims is indeed valid. (In "whatever" we mean not only the computation of functions 
but also the generation of probabilistic distributions.) Thus, zero-knowledge is a pro- 
perty of the predetermined prover: its robustness against attempts of an arbitrary 
(polynomial-time) verifier to extract knowledge from him via the interaction. This is 
captured by the formulation appearing in [GMR] and sketched below. 

Denote by V*(x) the probability distribution generated by a machine V* which 
interacts with (the prover) P on the common input x 6 L . We say that the proof sys- 
tem is zero-knowledge if for all probabilistic polynomial-time machines V* , there exists a 
probabilistic polynomial-time algorithm My. that on input x can produce a probability 
distribution M v .{x) that is polynomially-indistinguishable from the distribution V'(x). 
(For every algorithm A , let p A (x ) denote the probability that A outputs 1 on input x 
and an element chosen according to the probability distribution D{x). Similarly, 
p A ' (x) is defined with respect to the probability distribution D ' (x). D (•) and D' (•) 
are polynomially-indistinguishable if for every probabilistic polynomial-time algorithm A , 
I Pa( x )~Pa' ( z ) I < I x I ~ c . f° r every constant c >0 and for all sufficiently long x. 
This notion originates from [GM] and in [Y].) 

Remark 5: It is easy to see that if a language L has a zero-knowledge proof system in 
which only one message is sent, then L € BPP . Thus, the non-triviality of the interac- 
tion is a necessary condition for the non-triviality of the notion of zero-knowledge. 

1.3 Previous results concerning interactive proofs 

In section 1.1, we implicitly discussed the classes of languages having fc-move 
interactive proof systems (i.e. k message exchanges). Let IP(k) denote the class of 
languages membership in which can be proved through a general interaction consisting 
"of k messages, and let RIP(k) denote languages proven through the restricted type 
interaction in which the verifier tosses "public coins". Babai [B] showed that for every 
constant k , RIP [k)=RIP (2) C NP B for almost all oracles B . This means that his res- 
tricted hierarchy collapses. Goldwasser and Sipser [GS] showed that, surprisingly, for 
every k , IP{k) C RIP (k +3). Both the above results say nothing about preservation of 
zero-knowledge by the transformations. 

Several Number Theoretic languages, not known to be in BPP, have been previ- 
ously shown to have zero-knowledge proof systems. The first language for which such a 
proof system has been demonstrated is Quadratic Non-Residuosity [GMR]. Other zero- 
knowledge proof systems were presented in [GMR], [GHY], and [G]. All these languages 
are known to lie in NP D Co -NP . 
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1.4 Our Results 

In this extended abstract, we present only our results which are directly related to 
cryptography. For these results, we assume the existence of an arbitrary secure encryp- 
tion function. We first show how to prove any NP statement in zero-knowledge. Next 
we use this ability to develop a methodology of cryptographic protocol design. 

We have omitted from this extended abstract our results which are not related to 
cryptography. These result, which do not rely on any assumptions, consists of zero- 
knowledge interactive proof systems for Graph Isomorphism and Graph Non- 
Isomorphism. The mere existence of an interactive proof system for Graph Non- 
Isomorphism is interesting, since Graph Non-Isomorphism is not known to be in NP . 
For details see our paper [GMW]. 

1.5 Related Work 

Using the intractability assumption of quadratic residuosity, Brassard and Crepeau 
have discovered independently (but subsequently) zero-knowledge proof systems to all 
languages in NP [BCl], These proof systems heavily rely on particular properties of qua- 
dratic residues and do not seem to extend to arbitrary encryption functions. Recently, 
Brassard and Crepeau showed that if factoring is intractable then every NP language has 
a "zero-information" interactive proof system [BC2]. It should be stressed that the pro- 
tocol they proposed constitutes an interactive proof provided that factoring is intract- 
able. In other words, the validity of the interactive proofs depends on an intractability 
assumption; while in this paper and in [BCl] the proofs do not rely on such an assump- 
tion. On the positive side, the protocol presented in [BC2] is "zero-information" in the 
following strong sense: for every verifier program V* there is an algorithm My, such 
that the probability distribution generated by My. (on input x € L ) is identical to the 
probability distribution generated by V (when interacting with the prover on the input 
x). 

Independently, Chaum [Cha] discovered a protocol which is very similar to the one 
in [BC2]. Chaum also proposed an interesting application of such "zero-information 
proofs". His application is to a setting in which the verifier may have infinite computing 
power while the prover is restricted to polynomial-time computations (see also [CEGP]). 
In such a setting it makes no sense to have the prover demonstrate properties (as 
membership in a language) to the verifier. However, the prover may wish to demonstrate 
to the verifier that he "knows" something without revealing what he "knows". More 
specifically, given a SAT formulae, the prover wishes to convince the verifier that he 
"knows" a satisfying assignment in a manner that would yield no information which of 
the satisfying assignments he knows. A definition of the notion of "a program knowing a 
satisfying assignment" can be derived from [GMR]. 

1.6 Organization of the Paper 

In Section 2 we state our assumptions, and introduce some conventions. In Section 
3 we show how to use any one-way permutation in order to construct a zero-knowledge 
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interactive proof for any language in NP. In Section 4 we example the cryptographic 
applications of the above result. In Section 5 we outline the fundamental theorems for 
two-party and multi-party cryptographic protocols. 

2. Preliminaries 

Throughout this paper we assume the existence of an arbitrary secure encryption 
schemes in the sense of Goldwasser and Micali [GM]. Such schemes exist if unapproxim- 
able predicates exist [GM]. The existence of unapproximable predicates has been shown 
by Yao to be a weaker assumption than the existence of one-way permutations [Y]. In 
particular, the infeasibility assumption of factoring (equivalently: the assumption that 
squaring modulo a composite integer is a one-way permutation) implies that the least 
significant bit of the modular square root is an unapproximable predicate [ACGS]. Note 
that the existence of one-way permutation is the basis for most of the works and results 
in "modern cryptography". See for example [DH, RSA, Rl, GM, GMRiv, EM}. 

An encryption scheme secure as in [GM] is a probabilistic polynomial-time algo- 
rithm / that on input x and a random string r, outputs an encryption f(x,r). 
Decryption is unique, that is f {x ,r )= / {y ,s ) implies x —y . 

Notations: Let A be a set. 

1) Sym [A ) denote the set of permutations over A . 

2) When writing o 6 r A , we mean an element chosen at random with uniform pro- 
bability distribution from the set A . 

3. Zero-Knowledge Proofs for All Languages in NP 

We begin by presenting a zero-knowledge interactive proof for graph 3- 
colourability. Using this interactive proof, we present zero-knowledge proofs for every 
language in NP. 

3.1 A Zero-Knowledge Proof for Graph 3-Colourability 

The common input to the following protocol is a graph G(V,E). In the following 
protocol, the prover needs only to be a probabilistic polynomial-time machine which gets 
a proper 3-colouring of G as an auxiliary input. Let us denote this colouring by 4> 
(<£: F— {1,2,3}). Let n = | V | , m = | E | . For simplicity, let ^={1,2,...^ }. 

The following four steps are executed m 2 times, each time using independent coin tosses. 

1) The prover chooses a random permutation of the 3-colouring, encrypts it, and sends 
it to the verifier. More specifically, the prover chooses a permutation 
x € R Sym ({1,2,3}), and random r„ 's, computes R v =j (ir{<j){v)),r v ) (for every 
v G V), and sends the sequence R i,R 2 , R n *° the verifier. 

2) The verifier chooses at random an edge e 6 r E and sends it to the prover. 

3) If e—(u,v)£.E then the prover reveals the colouring of u and v and "proves" 
that they correspond to their encryptions. More specifically, the prover sends 
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(tt(<£(u )),r u ) and (tt(<£(v )),r v ) to the verifier. If e $ E then the prover stops. 
4) (The verifier checks the "prooP provided in step (3).) 

The verifier checks whether R u =f (ir(^(u )),r u ), R v =f {v{<j>{v )),r„ ), 
' r (^( u )) 7^ ""(^(v))) and ir{<f>(u )),ir{<j>(v)) £ {1,2,3}. If either condition is violated 
the verifier rejects and stops. Otherwise the verifier continues to the next iteration. 

If the verifier has completed all m 2 iterations then it accepts. 

The reader can easily verify the following facts: When the graph is 3-colourable and 
both prover and verifier follow the protocol then the verifier always accepts. When the 
graph is not 3-colourable and the verifier follows the protocol then no matter how the 
prover plays, the verifier will reject with probability at least (l-m _1 ) m = exp(-m ). 
Thus, the above protocol constitutes an interactive proof system for 3-colourability. 

Proposition: If / (•,•) is a secure probabilistic encryption, then the above protocol con- 
stitutes a zero-knowledge interactive proof system for 3-colourability. 

proof's sketch: It is clear that the above prover conveys no knowledge to the SPECI- 
FIED verifier. We need however to show that our prover conveys no knowledge to all 
possible verifiers, including cheating ones that deviate arbitrarily from the protocol. 

Let V* be an arbitrary fixed program of a probabilistic polynomial-time machine 
interacting with the prover P , specified by the protocol. We will present a probabilistic 
polynomial- time machine My. that generates a probability distribution which is polyno- 
mially indistinguishable from the probability distribution induced on V*'s tapes during 
its interaction with the prover P . In fact it suffices to generate the distribution on the 
random tape and the communication tape of V* . 

Our demonstration of the existence of such My. is constructive: given an interac- 
tive program V* , we use it in order to construct the machine M v .. The way we use 
V* in this construction does not correspond to the traditional notion of (a subroutine) 
reduction [K, Cj, but rather to a more general notion of reduction suggested in [AHU, 
pp. 373-374]. The machine My. monitors the execution of V*. In particular, My. 
chooses the random tape of V* , reads messages from V*'s communication tape, and 
writes messages to V*'s communication tape. Typically, M v . tries to guess which edge 
the machine V* will ask to check. M v . encrypts an illegal colouring of G such that it 
can answer V* in case it {My.) is lucky. The cases in which My. fails will be ignored: 
My. will just rewind V* to the last success, and try its luck again. It is crucial that 
from the point of view of V* the case which leads to My. success and the case which 
leads to My. failure are polynomially indistinguishable. 

The machine My. monitoring V , starts by choosing a random tape r for V* . 
My. places r on its record tape and proceeds in m 2 rounds as follows. 

1) My. picks an edge (u,v)£ s E and a pair of integers 
(a ,b ) E R {(»' ,j ): 1 < i ^ j <3} at random. My. chooses random r ; 's and 
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computes i?, =/ (c,-,r,-)> where c,=0 for » 6 V-{u ,v}, c a —a and c„=6. My. 
places the sequence of i?,- 's on the communication tape of V . 
2) M v . reads e from the communication tape of V* . If e £ £■ (V"* cheats) then 
Af v . appends the Ri 's and e to its record tape, outputs the record tape, and stops. 
If e 7^(u,t;) (unlucky for M v .) then M v . rewinds V* to the configuration at the 
beginning of the current round, and repeats the current round with new random 
choices. If e=(u,v) (lucky for M v .) then My. proceeds as follows: First, it places 
(a ,r u ) and (6 ,r„ ) on the communication tape of V* . Second, it appends the i?,- 's, 
e i ( a > r u ) an d (& i r v ) t° its record tape; and finally, it proceeds to the next round. 
If all rounds are completed then My. outputs its record and halts. A technical lemma 
(to be stated and proved in the final paper) guarantees that the three possible "answers" 
of the verifier (i.e. e f£ E , e £E-{(u,v)} and e—(u,v)) occur with essentially the 
same probability as in the interaction of V* and the real prover. Thus, the probability 
that the simulation of a particular round requires more than k -m rewinds is smaller 
than 2~* , and M v . terminates in polynomial time. The only difference between the pro- 
bability distribution of the true interactions and the distribution generated by M y . is 
that the first contain probabilistic encryptions of colourings while the second contains 
probabilistic encryptions of mostly O's. However, a second technical lemma (postponed to 
the final paper) asserts that this difference is indistinguishable in probabilistic 
polynomial- time. 

Remark 6: The above protocol needs m 2 rounds. In the final version of our paper we 
will present two alternative ways of modifying the above protocol so to get a four-round 
zero-knowledge protocol for graph 3-colorability. In both modifications the idea is to 
have the verifier send the prover "encryptions" of all his questions (i.e. which edge he 
wants to check for each copy of the coloured graph) before the prover sends to the 
verifier the corresponding coloured graphs. By this, the verifier commits himself to a test 
before seeing the encrypted colourings (equivalently, the tests are only a function of the 
common input and the random coin tosses of the verifier). How can the verifier encrypt 
his questions? This is the point in which the two modifications differ. 

1) Assuming the intractability of integer factorization, the verifier encrypts as follows. 
The prover first randomly chooses a Blum integer N (i.e. a composite integer which 
is the product of two large primes each congruent to 3 modulo 4). To encrypt the 
bit a E {0,1}, the verifier randomly chooses a residue r E with Jacobi Symbol 
{-I) 17 , computes s =r 2 mod N, sends s to the prover and proves (in zero- 
knowledge) that he "knows" a square root of s (consult [FMRW, GMR]). Note that 
even with infinite computing power, the prover can not know a. To reveal a, the 
verifier presents r . Assuming the intractability of factoring, the verifier can not 
"change his mind" about a. 

2) A trivial solution follows by modifying the definition of an interactive proof such 
that the prover is also restricted to polynomial-time computation, and his 
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"computational advantage" over the verifier is merely in having an auxiliary input. 
Note that this is the natural cryptographic scenario. 

Remark 7: The above protocol can be easily modified to yield a zero-information proto- 
col that constitutes a proof system if factoring is intractable. The modification consists 
of having the prover encrypt the colouring by using a Blum integers selected by the 
verifier (analogue to (1) in Remark 6). More details will be given the final version of our 
paper. 

3.2 Zero-Knowledge proofs for all Languages in NP 

Incorporating the standard reductions into the protocol of Section 3.1, we get 

Theorem 1: If / (-,■) is a secure probabilistic encryption, then every NP language has a 
zero-knowledge interactive proof system. 

Proof: For every language L £ NP the protocol incorporates a fixed reduction of L to 
3-colourability. Each party computes the 3-colourability instance from the common 
input, and then the prover proves to the verifier that this instance is 3-colourable (using 
the protocol of section 3.1). QED 

Slightly less obvious is the proof of the following Theorem 2 that adapts Theorem 1 
to the cryptographic scenario, in which all players are bounded to efficient computation. 

Theorem 2: If / (•,•) is a secure probabilistic encryption, every language in NP has a 
zero-knowledge interactive proof system whose prover is a probabilistic polynomial-time 
machine which gets a NP proof as an auxiliary input. 

Proof: We would like the parties to proceed as in the proof of Theorem 1. The problem 
is whether the prover is powerful enough to execute his role in that protocol. Note that 
if the prover is given a colouring of the reduced 3-colourability instance then he can fol- 
low the instructions of the protocol in Section 3.1. However, the prover is only given a 
NP proof for the membership in an arbitrary language in NP . The difficulty is resolved 
by noticing that the standard reductions used in the protocol efficiently transform also 
the witnesses to the corresponding instances (see details below). 

Most known Karp-reductions have the property that, given a NP-proof to the origi- 
nal instance, one can easily obtain a NP-proof for the reduced instance. Let L 1 be a 
language which is Karp-reducible to the language L 2 by the polynomial- time function t . 
Let L 6 NP and z £ L , then we denote by w(x) a witness for x (i.e. P L {x ,w (z))=l, 
where Pi is the polynomial-time predicate associated to L ). If there exist a 
polynomial-time computable function g such that for every instance x 1 EL i we have 
w(<(zi)) = fl( u '( s: i)) then we say that L x is Levin-reducible to L 2 - (This is "half the 
condition" in the definition of polynomial reducibility as appeared in Levin's paper 
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"Universal Search Problems" [LJ.) Thus, it suffices to verify that the generic reduction to 
SAT, and the "popular" reductions of SAT to 3SAT and of 3SAT to 3C, are all in fact 
Levin-reductions. QED 

Remark 8: Theorem 1 can be generalized to show that not only NP is in zero- 
knowledge, but also "probabilistic NP" is. In other words, if / (•,•) is a secure proba- 
bilistic encryption, then for every fixed k every language in IP[k) has zero-knowledge 
proof systems. The same holds for Theorem 2 and all languages in RIP (k ) (note that 
Goldwasser and Sipser's transformation of IP(k )-protocols to RIP (k )-protocols requires 
the prover to conduct approximate counting). For more details see [GMWj. 

4. Examples of Particular Applications of Theorem 2 

Theorem 2 has a dramatic effect on the design of cryptographic protocols. Typically 
these protocols must cope with the problem of the parties convincing each other that 
they are sending messages which are computed according to the protocol. Such proofs 
should be carried out without yielding any secret knowledge. Since it is alway possible 
to give NP proofs that the messages are computed properly, we can now give zero- 
knowledge proofs of this fact. Let us demonstrate this point, by using Theorem 2 to 
present simple solutions to three problems, which until recently were considered 
extremely difficult or even impossible. The more general implications of Theorem 2, are 
outlined in the preceding chapter. 

A central notion in the field of cryptography is that of a secret. By a secret we 
mean a piece of data that once given can be recognized as the desired one. More for- 
mally, a secret s is recognizable through g[s) if g is a one-way function. For example, 
the factorization (p ,q) of a composite integer N=p q is a secret recognizable through 
N. The digital signature Su(m) of user U to the message m is a secret recognizable 
through the message m and the public-key of U . 

4.1 Oblivious Transfer of Arbitrary Secrets 

The notion of Oblivious Transfer, suggested by Rabin [R2], has attracted alot of 
attention within the study of cryptographic protocols. An Oblivious Transfer is a two- 
party protocol through which one party (unknowingly) transfers with probability 1/2 a 
large amount of knowledge to his counterpart, and yields no knowledge otherwise [R2, 
EGL]. Initially, the sender (S) knows a secret s recognizable through g{s), and the 
receiver (R ) knows g {s ). If both parties follow the protocol then R gets s with proba- 
bility 1/2. If R follows the protocol then for S , the a-posteriori probability that R got 
s equals the a-priori probability. Rabin required that an attempt by S to reduce the 
probability that R receives s is detected [R2] with very high probability; while Even, 
Goldreich and Lempel only required that such an attempt is detected with probability 
1/2 [EGL]. 

In the following we will assume that factoring is hard. For the case that the secret 
is the factorization of a given integer, a protocol satisfying Rabin's conditions was 
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presented by Fischer, Micali, Rackoff and Wittenberg [FMRW] (modifying (R2j). This 
protocol easily extends to arbitrary secrets, but in this case detection of "cheating" is 
only guaranteed with probability 1/2. It has been conjectured that no protocol can meet 
Rabin's condition (i.e. allow to always detect attempts to reduce the probability of a 
transfer) for arbitrary secrets [EGL]. 

Using Theorem 2, we show that the conjecture in [EGL] is false. The proposed pro- 
tocol proceeds as follows: First, the sender encrypt the secret s using a randomly chosen 
composite N. Next, the sender provides the receiver with a zero-knowledge proof that 
the encrypted message is indeed the desired secret (note that this is a NP statement). 
Finally, the sender uses the [FMRW] Oblivious Transfer to send the factorization of N 
such that it is received with probability 1/2. 

Remark 9: Recently, we presented an Oblivious Transfer protocol based on the security 
of an arbitrary public-key encryption function. 

4.2 Verifiable Secret Sharing 

The notion of a verifiable secret sharing was presented by Chor, Goldwasser, Micali, 
and Awerbuch [CGMA], and constitutes a powerful tool for multi-party protocol design. 
A verifiable secret sharing is a n +l-party protocol through which a sender (S) can dis- 
tribute to the receivers (i?,- 's) pieces of a secret s recognizable through g{s). The n 
pieces satisfying the following three conditions (with respect to 1</ <u <n): 

1) It is infeasible to obtain any partial information about the secret from any / pieces; 

2) Given any u messages the entire secret can be easily computed; 

3) Given a piece it is easy to verify that it belongs to a set satisfying condition (2). 

The notion of a verifiable secret sharing differs from Shamir's secret sharing [Sha], in 
that the secret is recognizable and that the pieces should be verifiable as authentic (i.e. 
condition (3)). 

We will consider solutions which are polynomial in n and in the security parame- 
ter. The first solution, presented in [CGMA], relies on RSA (resp. factoring) and works 
for / = 0(log n) (resp. 1=0 {log log n), see also [CGG]). Relying on the difficulty of 
testing quadratic residuosity this solution was improved, independently by [FM] and 
[AGY], to allow I —an and u =(l-a)n for every fixed a<l/2. Recently, Feldman [F] 
presented a solution allowing u=/+l<n, assuming the btractability of the discrete 
logarithm function. Most of the above solutions are conceptually very complicated. 

Combining Theorem 2 with Shamir's scheme [Sha], we present a conceptually sim- 
ple solution allowing u =l+l<n , assuming the existence of arbitrary one-way permuta- 
tions. To share a secret s 6 Z p recognizable through g (s ), the sender proceeds as fol- 
lows: First, the sender chooses at random a /-degree polynomial over Z p ' and evaluates it 
in n fixed points (these are the pieces in Shamir's scheme). Next, the sender encrypts 
the tth piece using the Public-Key of the ith receiver, and sends all encrypted secrets to 
all receivers. Finally, the sender provides each receiver with a zero-knowledge proof that 
the encrypted messages correspond to the evaluation of a single polynomial over Z p 
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(note that this is a NP statement). 

Recently, Benaloh has presented a much more efficient solution based on the intrac- 
tability of quadratic residuosity [Bena]. 

4.3 Proving that a String is Pseudorandom 

The notion of a pseudorandom bit generator, suggested by Blum and Micali [BM] 
and Yao [Y], is central to cryptography. A pseudorandom bit generator is an efficient 
deterministic program which stretches a randomly selected n-bit long seed into a longer 
bit sequence which is polynomially-indistinguishable from a random string [BM, Y]. A 
pseudorandom function generator is an efficient deterministic program that uses a ran- 
dom n-bit seed to construct an oracle which is polynomially-indistinguishable from a 
random oracle [GGM]. 

Using Theorem 2, a party which has selected the seed can present zero-knowledge 
proofs that the sequence/function he is producing/implementing is indeed pseudoran- 
dom. 

5. Two Theorems for Cryptographic Protocols 

In this section, we present an extremely powerful methodology for designing correct 
cryptographic protocols. The methodology consists of efficient "correctness and privacy 
preserving" transformations of protocols from a weak adversary model to the most 
adversarial model. These transformations are informally summarized as follows 

Informal Theorem A: There exist an efficient compiler transforming a protocol P 
designed for n —2t +1 honest players, to a cryptographic protocol P' that 
achieves the same goals even if t of its n players are faulty. Faulty players are 
allowed to deviate from P' in an arbitrary but polynomial-time way. 

In the formal statement of the corresponding Theorem, we avoid talking about "achiev- 
ing goals". The "goal of a protocol" is a semantic object that is not well understood. 
Instead, we make statements about well understood syntactic objects: the probability 
distribution on the tapes of interactive machines. In the final version of this paper we 
will define the notions of a "correctness preserving compiler" and a "privacy preserving 
compiler". Both notions will be defined as relations between the probability distribution 
on the tapes of interactive machines during the execution of protocol P (in a weak 
adversarial environment) and the distribution on these tapes during the execution of P' 
(in a strong adversarial environment). Loosely speaking, "preserving correctness" means 
that whatever a party could compute after participating in the original protocol P , he 
could also compute when following the transformed protocol P' , properly. "Preserving 
privacy" means that whatever a set of dishonest players can compute after participating 
in P' , the corresponding players in P can compute when sharing their "knowledge" 
after participating in P . Similarly we formalize the following 

Informal Theorem B: There exist an efficient compiler transforming a two-party 
protocol P that is correct in a fail-stop model, to a cryptographic two-party- 
protocol P' that achieves the same goals even if one of the players deviates from 
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P' in an arbitrary but polynomial- time way. 

The proofs of the above Theorems make primary use of Theorem 2 to allow a machine 
to "prove" to other machines that a message it sent is computed according to the proto- 
col. In addition, these proofs make innovative use of most of the cryptographic tech- 
niques developed in recent years. Essential ingredients in the proof of Theorem A are the 
notions of verifiable secret sharing and simultaneous broadcast proposed and first imple- 
mented by Chor, Goldwasser, Micali, and Awerbuch [CGMA]. An essential ingredient in 
the proof of Theorem B is Blum's "coin flipping into the well" [Bluj. 

Further Improvements 

Theorem A constitutes a procedure for automatically constructing fault- tolerant 
protocols, the goal of which is to compute a predetermine function of the private inputs 
scattered among the players. This procedure takes as input a distributed specification of 
the function (i.e. a protocol for honest players), not the function itself. It is guaranteed 
that this procedure will output a fault-tolerant protocol for computing this very function 
(i.e. the "correctness" condition) and that the "privacy" present in the specification will 
be preserved. Thus, the degree of privacy offered by the output fault-tolerance protocol 
depends on the specification, and not on the function to be computed. Furthermore, for 
some functions / it seems to be difficult to write a distributed specification (protocol for 
honest players) which offers the maximum degree of privacy. 

Recently (see forthcoming paper [GMW2]), we found a polynomial-time algorithm 
which on input a Turing machine specification of a n -ary function / , outputs a proto- 
col for n honest players which offers maximum privacy. Namely, at the termination of 
the protocol, each subset of players can compute from their joint local history only 
whatever they could have computed from their corresponding local inputs and the value 
of the function. Thus, we achieve for any n-ary function what Benaloh [Bena] has 
achieved for the addition and multiplication functions. 

Combined with the compiler of Theorem A, our algorithm constitutes an automatic 
generator of fault-tolerant protocols. This may be viewed as a completeness theorem for 
fault tolerant distributed computation. 
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Abstract. 

In this paper we describe simple identification and signature schemes which enable any user 
to prove his identity and the authenticity of his messages to any other user without shared 
or public keys. The schemes are provably secure against any known or chosen message attack 
if factoring is difficult, and typical implementations require only 1% to 4% of the number of 
modular multiplications required by the RSA scheme. Due to their simplicity, security and speed, 
these schemes are ideally suited for microprocessor-based devices such as smart cards, personal 
computers, and remote control systems. 



1. Introduction 

Creating unforgeable ID cards based on the emerging technology of smart cards is an im- 
portant problem with numerous commercial and military applications. The problem becomes 
particularly challenging when the two parties (the prover A and the verifier B) are adversaries, 
and we want to make it impossible for B to misrepresent himself as A even after he witnesses and 
verifies arbitrarily many proofs of identity generated by A. Typical applications include passports 
(which are often inspected and photocopied by hostile governments), credit cards (whose numbers 
can be copied to blank cards or used over the phone), computer passwords (which are vulnerable 
to hackers and wire tappers) and military command and control systems (whose terminals may 
fall into enemy hands). We distinguish between three levels of protection: 

1) Authentication schemes: A can prove to B that he is A, but someone else cannot prove 
to B that he is A. 

2) Identification schemes: A can prove to B that he is A, but B cannot prove to someone 
else that he is A. 

3) Signature schemes: A can prove to B that he is A, but B cannot prove even to himself 
that he is A. 

Authentication schemes are useful only against external threats when A and B cooperate. 
The distinction between identification and signature schemes is subtle, and manifests itself mainly 
when the proof is interactive and the verifier later wants to prove its existence to a judge: In iden- 
tification schemes B can create a credible transcript of an imaginary communication by carefully 
choosing both the questions and the answers in the dialog, while in signature schemes only real 
communication with A could generate a credible transcript. However, in many commercial and 
military applications the main problem is to detect forgeries in real time and to deny the service, 
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access or response that the forger wants. In these cases the transcript and judge are irrelevant, 
and the two types of schemes can be used interchangeably. 



2. Interactive Identification 
2.1 Background 

The new identification scheme is a combination of zero-knowledge interactive proofs (Gold- 
wasser, Micali and Rackoff [1985]) and identity-based schemes (Shamir [1984]). It is based on the 
difficulty of extracting modular square roots when the factorization of n is unknown. A related 
protocol for proving the quadratic residuosity of numbers was presented by Fischer Micali and 
Rackoff at Eurocrypt 84 (it did not appear in the proceedings), but the new protocol is faster 
and requires less communication. The main contribution of this paper is to show the relevance of 
such protocols to practical identification and signature problems. 

The scheme assumes the existence of a trusted center (a government, a credit card company, 
a computer center, a military headquarters, etc.) which issues the smart cards to users after 
properly checking their physical identity. No further interaction with the center is required either 
to generate or to verify proofs of identity. An unlimited number of users can join the system 
without degrading its performance, and it is not even necessary to keep a list of all the valid users. 
Interaction with the smart cards will not enable verifiers to reproduce them, and even complete 
knowledge of the secret contents of all the cards issued by the center will not enable adversaries to 
create new identities or to modify existing identities. Since no information whatsoever is leaked 
during the interaction, the cards can last a lifetime regardless of how often they are used. 



2.2 The Scheme 

Before the center starts issuing cards, it chooses and makes public a modulus n and a pseudo 
random function / which maps arbitrary strings to the range [0, n). The modulus n is the product 
of two secret primes p and q, but unlike the RSA scheme, only the center knows the factorization 
of the modulus and thus everyone can use the same n. The function / should be indistinguishable 
from a truly random function by any polynomially bounded computation. Goldreich Goldwasser 
and Micali [1984] describe a particular family of functions which is provably strong in this sense, 
but we believe that in practice one can use simpler and faster functions (e.g., multiple DES) 
without endangering the security of the scheme. 

When an eligible user applies for a smart card, the center prepares a string I which contains 
all the relevant information about the user (his name, address, ID number, physical description, 
security clearance etc.) and about the card (expiration date, limitations on validity, etc). Since 
this is the information verified by the scheme, it is important to make it detailed and to double 
check its correctness. The center then performs the following steps: 

1. Compute the values Vj — f(I,j) for small values of j. 

2. Pick k distinct values of j for which Vj is a quadratic residue (mod n) and compute the 
smallest square root Sj of u" 1 (mod n). 

3. Issue a smart card which contains I, the k Sj values, and their indices. 
Remarks: 

1. To simplify notation in the rest of this paper, we assume that the first k indices j = 
1, 2, . . . , k are used. 
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2. For non-perfect functions /, it may be advisable to randomize J by concatenating it to 
a long random string R which is chosen by the center, stored in the card, and revealed 
along with I. 

3. In typical implementations, k is between 1 and 18, but larger values of fc can further 
reduce the time and communication complexities of the scheme. 

4. n should be at least 512 bits long. Factoring such moduli seems to be beyond reach with 
today's computers and algorithms, with adequate margins of safety against foreseeable 
developments. 

5. The center can be eliminated if each user chooses his own n and publishes it in a public key 
directory. However, this RSA-like variant makes the schemes considerably less convenient. 

The verification devices are identical standalone devices which contain a microprocessor, a 
small memory, and I/O interface. The only information stored in them are the universal modulus 
n. and function /. When a smart card is inserted into a verifier, it proves that it knows 
without giving away any information about their values. The proof is based on the following 
protocol: 

1. A sends I to B. 

2. B generates Vj = f(I,j) for j — 1, . . . , k. 
Repeat steps 3 to 6 for t = 1, . . . , t: 

3. A picks a random r,- 6 [0, n) and sends Xi = r? (mod n) to B. 

4. B sends a random binary vector (e,i,. . . , e^) to A. 

5. A sends to B: 

Vi = r, Yl s i ( mod n )' 
a,- =i 

6. B checks that 

x ' = y i II v i ( mod n )- 

Remarks: 

1. The verifier B accepts A's proof of identity only if all the t checks are successful. 

2. To decrease the number of communicated bits, A can hash i, by sending B only the first 
128 bits of /(z,) in step 3. B can check the correctness of this value in step 6 by applying 
/ to the right hand side of the equation and comparing the first 128 bits of the results. 

3. A can authenticate a particular message m (e.g., an instruction to a remote control system 
or a program sent to a remote computer) without having to extract new square roots by 
sending B the first 128 bits of f(m, Xi) in step 3. If B knows m, he can easily check this 
value in step 6. A is fully protected against modifications and forgeries of his messages 
by the pseudo random nature of /, but this is not a real signature scheme: without 
participating in the interaction, a judge cannot later decide if a message is authentic. 



2.3 Security 



Lemma 1: If A and B follow the protocol, B always accepts the proof as valid. 
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Proof: By definition 

Vi II v > = r i II (*i v i) = r < = 2 < ( mod »)■ n 

Lemma 2: Assume that j4 does not know the Sj and cannot compute in polynomial time the 
square root of any product of the form 11/= 1 v ]' (mod n) (c/ = — 1,0 or +1, not all of them 
zero). If B follows the protocol (and A performs arbitrary polynomial time computations), B will 
accept the proof as valid with probability bounded by 2~ kt . 

Proof (Sketch) : A can cheat by guessing the correct e,/ vectors and sending 

it = rf Y\_ v i (mod n) and y ; = ri. 
*.■; = ! 

However, the probability of this event is only 2~ k per iteration and 2~ kt for the whole protocol. 
To increase this probability, A must choose the z< values in such a way that for a non-negligible 
fraction of them he can compute the square roots yj and y" of 

Xi I JJ Vj (mod n) 
' 'a = i 

for two vectors e'^ and e?-. The ratio yj/y" (mod n) is of the form nj=i a >' (mod n). This 
contradicts the assumption, since A himself can simulate B's random questions and thus compute 
in expected polynomial time a value we assumed he cannot compute. □ 

Lemma 3: For a fixed k and arbitrary t, this is a zero-knowledge proof. 

Proof (Sketch): The intuitive (but non-rigorous) reason the proof reveals no information 
whatsoever about the sy is that the i t - are random squares, and each yi contains an independent 
random variable which masks the values of the Sj. All the messages sent from A to B are thus 
random numbers with uniform probability distributions, and cheating by B cannot change this 
fact. 

To prove this claim formally, in the full paper we exhibit a probabilistic algorithm which 
simulates the communication between A and B without knowing the Sj with a probability distri- 
bution which is indistinguishable from the real distribution. The expected running time of this 
algorithm is t ■ 2* times the sum of the expected running times of A and B. By assumption, this 
running time is polynomial. □ 

Remarks: 

1. Throughout this paper, 2 kt is assumed to be much smaller than the time required to factor 
the modulus n. 

2. The quadratic residuosity protocol of Fischer Micali and RackofT is a special case of this 
protocol with k = 1. The main practical advantage of the new protocol is that for the 
same security we can use only the square root of the number of iterations, which reduces 
the time and communication complexities of the protocol and its applications. 

3. An adversary who records polynomially many proofs of identity cannot increase his chance 
of success: If he reuses a recorded x,, he can playback the recorded answers only if the 
questions happen to be the same. Since A uses each z t - only once, the probability of 
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success is still 2 . 

4. In the parallel version of this protocol, A sends all the z,, then B sends all the e,-y, and 
finally A sends all the This version is not zero-knowledge for technical reasons, but its 
security can be formally proven by the techniques developed in Section 3. 

The 2~ kt probability of forgery is an absolute constant, and thus there is no need to pick large 
values of k and t as a safeguard against future technological developments. In most applications, 
a security level of 2 _J0 suffices to deter cheaters. No one will present a forged passport at an 
airport, give a forged driver's license to a policeman, use a forged ID badge to enter a restricted 
area, or use a forged credit card at a department store, if he knows that his probability of success 
is only one in a million. In all these applications, the forged ID card (rather than the transcript 
of the communication) can be presented to a judge as evidence in a trial. Even if the only penalty 
for a failed attempt is the confiscation of the card, and smart cards cost only $1 to manufacture, 
each success will cost about one million dollars. For national security applications, we can change 
the security level to 2~ 30 : Even a patient adversary with an unlimited budget, who tries to 
misrepresent himself 1000 times each day, is expected to succeed only once every 3000 years. 



2.4 Complexity 

To attain a 2 -20 level of security, it suffices to choose k = 5, i = 4 (for 2~ 30 , increase these 
values by 1). The average number of modular multiplications required to generate or verify a 
proof of identity in this case is t(k + 2)/2 = 14. The number of bytes exchanged by the parties 
during the proof is 323, and the secret Sj values can be stored in a 320 byte ROM. Even better 
performance can be obtained by increasing k to 18 (a 1152 byte ROM). If we use s,y vectors with 
at most three l's in them, we have a choice of 988 possible vectors in each iteration. With t = 2 
iterations, the security level remains about one in a million, but the number of transmitted bytes 
drops to 165 and the average number of modular multiplications drops to 7.6 (which is two orders 
of magnitude faster than the 768 multiplications required by the RSA scheme). Note that the 
2 X 18 tij matrix is so sparse that B has to generate at most 6 out of the 18 u ; - values to verify 
the proof. 

The time, space, communication and security of the scheme can be traded off in many possible 
ways, and the optimal choices of k, t and the e^y matrix depends on the relative costs of these 
resources. Further improvements in speed can be obtained by parallelizing the operations. Unlike 
the RSA scheme, the two parties can pipeline their operations (with A preparing Xi+i and 
while B is still checking Xi and y,), and use parallel multipliers to compute the product of »y 
or Sj values in logfc depth. Since the protocol uses only multiplication (and no gcd or division 
operations which are hard to parallelize), each iteration of the protocol is in NC, and thus the 
scheme is suitable for very high speed applications. 



3. Signatures 
3.1 The Scheme 

fl's role in the interactive identification scheme is passive but crucial: The random e,y matrix 
he sends contains no information but its unpredictability prevents cheating by A. To turn this 
identification scheme into a signature scheme, we replace B's role by the function / and obtain 
the following protocol: 
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To sign a message m : 

1. A picks random r\, . . . , rt € [0, n) and computes x,- = r? (mod n). 

2. j4 computes /(m, x 1 , . . . it) and uses its first kt bits as e^y values (1 < « < t, 1 < j < k). 

3. A computes 

Hi = Ti JJ sy (mod n) for t = l,...,i 

and sends J, m, the e;y matrix and all the y< to B. 

To verify A's signature on m: 

1. B computes tiy = f{I,j) for j = 1, . . . , k. 

2. B computes 

z, — Vi JI v ] (mod n) for t = 1, . . . , t. 

3. B verifies that the first kt bits of f(m, zi,...,z t ) are «,-,-. 
3.2 Security 

The formal proof of security in this extended abstract assumes that n is sufficiently large and 
that / is a truly random function. Consequently, there can be no generic attack which breaks the 
scheme for any n and / unless factoring is easy. Practical implementations which use particular 
moduli no and psuedo-random functions f 0 may still be vulnerable to specialized attacks, but 
they mearly show that n 0 is too small or that fo is demonstrably non-random. When no is at 
least 512 bits long and f 0 is sufficiently strong (e.g., multiple DES with a fixed cleartext and 
variable key), such attacks are quite unlikely. 

Lemma 4: If A and B follow their protocols, B always accepts the signature as valid. 
Proof: By definition, 

Zi = y, ? J][ Vj = r? Y[ - r ? = x i ( mod n )> 

and thus f[m, z\, . . . ,zt) = /(m, ii, . . . ,x t ). D 

Lemma 5: A chooses a particular signature among all the possible signatures for the message m 
with uniform probability distribution. 

Proof: Given a signature (aj matrix and jft values), it is possible to recreate r\,...,r\ 
(mod m) uniquely, and ri,...,r^ in exactly 4* ways. Since A chooses the r,- at random, the 
various signatures are chosen with equal probabilities. □ 

Lemma 6: Let AL be any polynomial time probabilistic algorithm which accepts n, vi,...,v* 
and the signatures of arbitrary messages mj , m 2 , . . . of its choice, and produces a valid signature 
of another message m 0 of its choice. If the complexity of factoring and 2 kt grow non-polynomially 
with the size of n, AL cannot succeed with non-negligible probability for random functions /. 

Proof (Sketch): By contradiction. Using a simple combinatorial argument, we can prove 
that a polynomial time variant AL' of AL can compute a square root of some product n } =i v j 
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(mod n) (cj = —1, 0, or +1, not all of them zero) with a similar probability of success. 

To turn All into a factoring algorithm for n, pick random Si,...,sjt and define v } - = s 2 
(mod n). Execute AL' with n,vi,...,V£ as input, and use the Sj to supply the signatures of 
mj, mi, . . . requested by AL' . The output of AL' is a square root Q of fly=i v j' (mod ft), but 
another square root S (= rij=i s j 3 (mod n)) is already known. By Lemma 5, AL' cannot find 
out which one of the four possible roots is 5 by analysing the given signatures of m^mj, — 
Consequently, gcd(Q — S, n) is a proper factor of n with probability 1/2. By repeating this 
procedure several times, we can make this probability arbitrarily close to 1. □ 

It is easy to forge signatures for arbitrary messages mo in time T with probability T ■ 2~ ki 
by guessing the e,y matrix T times. A refinement of Lemma 6 shows that when the complexity 
of factoring is considerably higher than 2 kt , this attack is essentially optimal: 

Lemma 7: Let AL be any probabilistic algorithm of the type described in Lemma 6. If AL 
runs in time T and succeeds with probability (l + e)T2~ kt for random functions /, then n can be 
factored with non negligible probability in time T 2 ■ 2 kt . 

Proof: Will be given in the full paper. □ 

Corollary 8: If fc and t are chosen so that the ratio between the complexity of factoring and 
2 kt grows non-polynomially with the size of n, then the T2~ kt probability of forgery is tight for 
polynomial time attacks. 

Discussion 

The sequential version of the interactive identification scheme is zero-knowledge and thus 
B cannot deduce any information whatsoever about the Sj from his interaction with A. The 
parallel identification scheme and the signature scheme, on the other hand, cannot be proven 
zero-knowledge for very subtle technical reasons. In fact, strong signature schemes cannot be zero- 
knowledge by definition: If everyone can recognize valid signatures but no one can forge them, 
B cannot generate by himself A's messages with the same probability distribution. However, 
corollary 8 shows that the information about the Sj's that B gets from signatures generated by 
A is so implicit that it cannot be used to forge new signatures, and thus the signature scheme is 
pTovably secure (if factoring is difficult) even though it is not zero-knowledge. 



3.3 Complexity 

In the proposed signature scheme, an adversary knows in advance whether his signature will 
be accepted as valid, and thus by experimenting with 2 kt random r< values, he is likely to find a 
signature he can send to B. Consequently, the product kt must be increased from 20 to at least 
72 when we replace the identification scheme by a signature scheme. 

A choice of k = 9, t = 8 attains the desired 2 -72 security level. The private key can 
be stored in a 576 byte ROM, and each signature requires 521 bytes. The average number of 
modular multiplications for this choice is f(fc + 2)/2 = 44. 

By doubling the key size to 1152 bytes {k = 18), we can reduce the size of each signature 
to 265 bytes (t — 4) without changing the 2~ 72 security level. By optimizing the order of the 
multiplications to compute the t subset products simultaneously, we can reduce their average 
number to 32. This is only 4% of the number of multiplications required in the RSA signature 
scheme. Other points along the tradeoff curve for the 2~ 72 security level are summarized in Table 
1. 
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Table 1: Tradeoffs for k and £ at the 2 _T2 Security Level 


k 


t 


Secret Key 

Size 
(in bytes) 


Signature 

Size 
(in bytes) 


Average 
# Mult. 
(Standard) 


Average 
# Mult. 
(Optimized) 


Average 
# B 
generates 


1 


72 


64 


4608 + 9 


108 


108 


1 


2 


36 


128 


2304 + 9 


72 


64 


2 


3 


24 


192 


1536 + 9 


60 


49 


3 


4 


18 


256 


1152 + 9 


54 


46 


4 


6 


12 


384 


768 + 9 


48 


41 


6 


8 


9 


512 


576 + 9 


45 


45 


8 


9 


8 


576 


512 + 9 


44 


44 


9 


12 


6 


768 


384 + 9 


42 


35 


12 


18 


4 


1152 


256 + 9 


40 


32 


17 


24 


3 


1536 


192 + 9 


39 


28 


21 


36 


2 


2304 


128 + 9 


38 


30 


24 


72 


1 


4608 


64 + 9 


37 


37 


36 



4. Extensions 



A unique feature of the new identification and signature schemes is that it is possible to 
change their level of security after the key has been chosen. Consider, for example, an access 
card with k = 18 Sj values: The fast screening procedure at the entrance to the building will be 
controlled with t = 1 (2 -18 security level), access to the computer room will be controlled by 
t = 2 (2 -36 security level), while any usage of the computer will leave signed audit trails with 
t = 4 (2~ 72 security level). The only dangerous case is the simultaneous usage of the same Sj 
values in a parallel identification scheme with a large i and in a signature scheme with a small t 
(an unlikely combination), which is susceptible to an active playback attack. 

Since the verification devices store only small amounts of publicly available information, 
it is possible to standardize them: One device can store several values of n and / and thus 
check a variety of personal, financial and occupational ID cards provided by many independent 
organizations. This possibility is particularly important in department stores which have to 
recognize many types of credit cards or in check cashing situations which require three ID cards 
of many possible types. 

The proposed schemes can be generalized in a variety of ways. For example, the square roots 
can be replaced by cubic or higher roots, the e,-,- matrix can be made non-binary, and the usage 
of Ti and Sj values can be made more symmetric in the generation of each y; value. A more 
radical generalization is suggested by Goldreich, Micali and Wigderson's recent discovery of zero 
knowledge proofs for NP problems: It is now possible to use any instance of any NP complete 
problem as the basis for identification and signature schemes. Shamir later improved the time 
and communication complexities of these proofs, but their practical significance is still unclear. 
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Demonstrating that a Public Predicate 
can be Satisfied 
Without Revealing Any Information About How 



David Chaum 
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Kruislaan 413 1098 SJ Amsterdam the Netherlands 

It's not unlike a technique of probabilistic mathematical proof 
in which you allow a receiver to select one of two cases. 
— Norman Shapiro 

[responding] Yes, you're right.... 
but the residue of doubt is provably, negligibly small. 
—Michael Rabin 1977 

Introduction 

The problem solved here may be defined in the following way: Both parties y and z agree 
on a Boolean expression called a predicate; y claims to know a secret value satisfying the predi- 
cate; z wants very high certainty that y does have such a value; while y is willing to demonstrate 
possession of the secret satisfying value, y is unwilling to reveal the secret value to z. The solu- 
tion requires z to assume that j cannot quickly solve certain problem instances provided by z. 
But y is sure not to reveal anything about the secret, even if z has unlimited computing power. 

Relation to Other Work 

The result presented is a dual of those by [Goldreich, et al 86] and [Brassard & Crepeau 
86]: their model is an x with infinite computational ability and a z with limited ability; here z 
may have infinite computational ability and y has only limited ability. Besides being of theoreti- 
cal interest for this reason, the approach presented here offers several advantages: 

• The only possibility for cheating is to solve specific instances of the hard problem (factoring 
in the example construction) within the time allotted to compute legal responses. 

• A variation is secure even if some known fraction of instances of the assumed hard problem 
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can be solved within the allotted time. 

• If there are multiple solutions, no information about which one(s) the prover knows is 
released by the protocol, even to someone who actually has mnnite computing power. 

• The model is consistent with previous proposals of the author [Chaum 85b], where an indi- 
vidual may have to demonstrate something to an organization that has potentially unknown 
resources or abilities. In fact, the result is a special case of a protocol previously presented 
by the author [Chaum 85a], whose properties are described in [Chaum 85b page 1039]. But 
the underlying problem assumed hard in that work differs from those relied on here. 

• Giving the verifier a chance to cheat of less than 2 s requires only an amount of computa- 
tion linear in s and the number of gates needed to represent the predicate. For s = 100 and 
say 200 digit composites, this requires for each gate only about as much computation as a 
single RSA decryption. 

• The protocol is easily adapted to the dual model. 
1 . PROTOCOL 

In overview, the protocol presented involves^ making known to z transformed and 
encrypted copies of a truth table for each gate of a circuit representation of the predicate, after 
which z is allowed to "select one of two cases". The basic idea of getting exponential security by 
one party first committing by revealing encrypted forms and then allowing the other party to 
choose between several cases, which is relied on here, was first proposed in the context of crypto- 
graphic protocols by Rabin in [77] (which is the subject of the discussion quoted at the beginning 
of this article). 

1.1 Protocol Set-Up 

Initially y and z agree on a predicate and its realization by a circuit comprising m gates 
g\, . . . , g m , defined by their respective truth tables T\, . . . , T m . The gates are interconnected 
by n wires w i , . . . , w„, with each column of every truth table corresponding to a wire. Thus the 
predicate may be thought of as a Boolean function on say r secret input bits involving m elemen- 
tary Boolean operations each (except one) of whose output bits becomes an input for one or 
more other elementary operations without feedback. This means that the memoryless circuit has 
r input wires, each of which is an input to one or more gates (elementary operations denned by a 
corresponding truth table); n — r — 1 internal wires, each serving as the output of a single gate 
and "fanning-out" to serve as input to one or more other gates; and a single output wire of a sin- 
gle gate, which is the output of the whole circuit. 

Consider a gate g^ with / inputs and an output defined by a truth table 7*. (subsequently 
denoted without subscript) represented in matrix form as T=(t U j\ with /£{!,..., I 1 } and jGW k , 
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where W k is the set of wires corresponding to the inputs and outputs of gate g k and (the cardi- 
nality) # W k = /+ 1, which is the total number of inputs and outputs of gate g k , and 
W k C{w x , ■ ■ ■ , w„}. The entries of Tare O's and l's, i.e. t i<} E{0, 1), in the usual way: the rows 
(apart from the last column) contain all defined input configurations, and the last entry in each 
row is the corresponding output. 

It is sufficient to consider all the wires as having secret values, except the single output wire 
for the whole predicate. Since the value of this wire should be 1, the truth table of its gate is 
modified as follows: all rows with 0 in the output column are removed, and then the output 
column itself is removed. 

First, y choses an inversion Ij at random for each wire w ; , i.e. Ij e {0, 1 } for 
y . . . , w„], where random choices (as used throughout) are uniform choices that are sta- 

tistically independent of everything else. 

Next, y successively transforms each T, first to a permuted form T ', second to an obscured 
form T ", and third to an encrypted form E as follows: (a) Each T is transformed into a matrix 
r'=(r',j), by a random row permutation, (b) Each T' is transformed into a table T" = (f' ii j) for 
which all entries in all columns corresponding to inverted wires are inverted: t" it j = t 'jj®Jj. (c) 
Each entry of the obscured form T" is encrypted in a special way to yield E = (ejj): for each 
entry in T" a random residue modulo N that is coprime with N, shown as is chosen with 
Jacobi symbol (r,j / N) equal 1 when t " uj = 1 and equal - 1 otherwise, and e it j=rf t j (mod N), 
where N is supplied to y by z. 

Then ^ displays all the matrices E to z and allows z to choose between two cases: 

(1) Display by_y of Ij and, for each gate, all the r,Js used in forming the corresponding Es. 
This allows z to recover every T" from the Jacobi symbols of the r, y's, to check that the 
entries of each E are the squares of the corresponding r t j, and to verify that each T " 
satisfies t "j j =t ', y ©/y, for some row permutation T ' of T. 

(2) Display by y of one row of r^j's for each E, which should correspond to the actual row of 
the truth table that is satisfied by the secret wire values. This allows z to check that the 
entries of a row of each E are the squares of the corresponding r's, to recover the 
corresponding rows of the 7*'"s from the Jacobi symbols of the r, ; 's, and to verify that all 
entries t "i j of the displayed rows with the same j are equal. 

2. SECURITY 

Theorem: No Shannon-information about the secret wire values is revealed by y following the proto- 
col, assuming N has only two odd prime factors and they are each congruent to 3 modulo 4. 

Proof: First note that no information in the Shannon sense is revealed before z chooses a case, 
since each quadratic residue displayed has exactly the same probability of corresponding to a 1 as 
to a 0, because it has exactly two distinct roots with each Jacobi symbol. The secret wire values 
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have no influence on what is revealed in case 1 . In case 2, the indices of the displayed rows 
reveal nothing since the permutation of rows is chosen at random; a bit with index j in a 
revealed row corresponds with the y'th wire, is equal to all other such bits with index j, and is just 
the exclusive-or of the secret wire value with Ij, which is just the encryption of the secret value 
under a true one-time pad.D 

Theorem: The probability that y satisfies z's verification cannot exceed Yi when y is unable to learn 
secret wire values satisfying the circuit, assuming y cannot find two square roots of the same residue 
modulo N that have distinct Jacobi symbols. 

Proof: It is sufficient to show that if y can satisfy z in both cases, then y can learn wire values 
satisfying the circuit. All T " are uniquely determined (from the assumption), are known to y, 
and contain only valid truth table rows when exclusive-ored with the corresponding bits of the 
Ij's known to y, as a consequence ofy being able to satisfy case 1. From case 2, y knows a way 
to choose one row from each table T " such that each wire is assigned the same value in all the 
chosen rows. Thus, y can form the exclusive-or of the Ifs known from case 1 with the rows 
known from case 2, which yields a valid row for each gate (from case 1) with an assignment of 
bits to wires that satisfies each such row (from case 2). □ 

Lemma: If the above protocol is successfully repeated s times, using moduli each of which can be fac- 
tored in the allotted time with independent probability p, then the probability of one-half in the previ- 
ous theorem may be replaced by {¥2 + p / Tf. 

Proof: Follows immediately from elementary probability theory. 
3. DISCUSSION 

The protocol description used certain well known number theoretic functions (first intro- 
duced by Blum [82]) for clarity and concreteness, but the present results should not be inter- 
preted as limited to these specific functions. A natural generalization is to any pair of so called 
"claw free" (as defined in [Goldwasser et al 85]) one-way bijections with the same image. Other 
choices of encryption functions switch the protocol to the dual model mentioned in the introduc- 
tion: any suitable encryption of a single bit (or actually row of bits) with a unique inverse mes- 
sage could be used to encrypt a T" to form an E. 

In the protocol presented above, y must be convinced that TV is a "Blum integer," or better, 
that it is of the form used in [Goldwasser et al 85]. There are at least two ways to address such a 
requirement. One is just to complete the protocol and then let y reveal the factorization of N to 
convince z that no cheating has occurred. When such an after-the-fact check is not acceptable, 
and where the particular encryption functions used require some such checking based on trap- 
door information, z could use a protocol of the dual type to convince y that a predicate indicat- 
ing suitability of the functions is satisfied. 

Other claw free functions based on the discrete log problem do not require such checking 
[Damgard 86]. 
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DEMONSTRATING POSSESSION OF A DISCRETE LOGARITHM 

WITHOUT REVEALING IT 
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Abstract- Techniques are presented that allow A to convince B that she knows a solution to the 
Discrete Log Problem — i.e. that she knows an x such that c? = B ( mod N ) holds — without 
revealing anything about x to B. Protocols are given both for N prime and for N composite. We 
prove these protocols secure under a formal model which is of interest in its own right. We also 
show how A can convince B that two elements a and B generate the same subgroup in Z^-, 
without revealing how to express either as a power of the other. 

1 . Introduction 

Consider the following problem: 

• Alice knows a solution to the Discrete Log Problem (i.e. for a particular a, B and N, she 
knows the exponent x such that a* = B ( mod N ) holds). 

• Alice wants to convince Bob that she knows x. 

• Alice is not willing to reveal any information (in the sense defined in the next section) 
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about the value of x. 

• Bob accepts an exponentially small chance that Alice is cheating, i.e. that she pretends to 
know an x but doesn't. More precisely, the chance that Alice succeeds in cheating without 
being detected by Bob, will be 2~ T , where T is proportional to the time and space required. 

In this paper we present a number of protocols which solves this problem, both for the case 
N a prime, and for the case N — P\Pi, where P \ and Pi are prime and of roughly the same 
size. Notice that there is no probabilistic polynomial time algorithm known for finding x given 
a, ft and N. But even when Alice is restricted to polynomial computational power (as we will 
assume), this protocol is of interest, since given a and N she can choose x e [\,N — 1] with 
gcd(x, <p(N)) — 1 at random and then compute jS simply by exponentiation. 

In this paper we define the notion (almost) no information which is very similar to "zero 
knowledge", introduced by Goldwasser, Micali and Rackoff [GMR85] (and which has nothing to 
do with Shannon-information). The difference is that in the GMR model the prover has unlim- 
ited computational power, whereas in our model her power is only polynomial with coin flipping. 
In section 7 we illustrate the need for such a model by giving an example in which both parties 
have a symmetrical position, and where it is reasonable to assume that neither has unlimited 
computational power. 

As far as we know, no other protocol with the same functionality has been presented. Very 
recent results by Goldreich, Micali and Wigderson [GMW86], Brassard and Crepeau [BrCr86], 
and Chaum [Ch86], however, all imply the following: if Alice has a certificate (or witness) of a 
particular statement which can be verified in polynomial time, then there exists a polynomial time 
protocol in which she can convince Bob that she has a certificate, without releasing any 
knowledge (or information in [Ch86]) about the value of this certificate; consequently, there exists 
a polynomial time protocol for showing possession of the Discrete Log. Nevertheless, these pro- 
tocols are not very practical. An important merit of the protocols presented here is their practi- 
cal feasibility. 

The structure of this paper is as follows: The next section describes the model and the 
notion of information under which we prove our protocols secure. In section 3 and 4 we present 
the protocols together with their proofs of security in the prime and composite cases, respectively. 
Section 5 is devoted to a specific variation which surprisingly turns out to be insecure. Section 6 
gives a protocol to convince another party that two elements generate the same subgroup in Z#. 
The paper ends with an example and two open problems. 

2. The model. 

In this paper we will use the model developed in [BKP85], but with some modifications. Below 
we briefly sketch this model using a modified notation. It should be pointed out that this sketch 
assumes familiarity with [BKP85] or [GMR85]. 

We think of a protocol as occurring between two Probabilistic Turing Machines (PTM's) A 
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and B which operate synchronously. Each PTM has, besides a computation tape and a random 
tape, a one-way infinite tape for incoming messages. We call this tape the "mailbox" of the 
machine. The PTM's communicate by writing into each others mailbox. We call each of the 
machines in such a system a CPTM, for Communicating Probabilistic Turing Machine. 

Now consider a system of two CPTM's A and B. The system [A ;B] halts whenever A or B 
halts; the system accepts only when B halts and accepts. Throughout this paper A will interac- 
tively demonstrate possession of a secret to B, so (using the terminology of [GMR85]) we call A 
the prover and B the verifier. In [BKP85] this secret is the factorisation of a large composite 
number. But in general, the solution to an instance of any problem assumed not solvable in ran- 
dom polynomial time may serve as a secret. We define I A as the pair consulting of the problem 
instance and the secret; I A is usually created by A, and is considered the input for the system 
[A \B\. Given I A , we define l' A as the single problem instance, thus without the secret; we assume 
that A sends I A to B before the actual protocol starts. For example, in our Discrete Log proto- 
cols I A = (a, B, N, x), and l\ = (a, yS, N). 

For simplicity, we explicitly force the time ordering in the messages by requiring that A and 
B alternately write one symbol in the other's mailbox. If a party has nothing to communicate it 
writes the special null symbol, v, not used for any other purpose in the communication. We also 
assume that both parties do not write superfluous null symbols, so the places where null symbols 

00 

are written is a function of l' A . We define : = U {0, 1, v} ", and the contents of a mailbox as 
an element of fi. 

The conversation between A and B, defined as the ordered pair containing their respective 
mailboxes, is considered as the output of the system [A ;B). It depends only on the instance I A 
and the bits on the random tapes of A and B. This conversation is denoted as conv([A ;B](I A )). 
Then Vr{conv([A ;B](I A )) = c) is defined as the probability that ce!2 2 occurs as the conversation 
between A and B resulting from the initialising instance I A , under the assumption that the bits on 
the random tapes of A and B are chosen independently and uniformly. 

The following definitions (which are modifications of part (iii) of the definition of an A- 
simulator preceding theorem 1 in [BKP85]), will serve to make precise the kind of security 
achieved by our protocols. Informally speaking, they state that the prover A releases no informa- 
tion if there exists a probabilistic polynomial- time simulating machine which, when initialised 
with l' A and for all possible verifiers B', produces simulated conversations between A and B that 
have (almost) the same probability distribution as the true conversations between A and B. This 
simulating machine, denoted 5^,-, is a PTM S that contains another machine A'. This A' is 
called as a subroutine and outputs a simulation of A's part of the conversation. Input for S A - is 
the problem instance without the secret, l" A ; the output is denoted as output (S A '(I A )). 

Definition 1 . The prover A releases no information if there exists a polynomial-time (simulating) 
machine S A ' , such that for all CPTM's B', all initialising instances I A , and all possible conversa- 
tions c gO 2 , 
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Vv(com{[A;B'lI A )) = c) 



l?T(output(S A -(I A )) = c). 



The next definition covers the case when the two probability distributions may differ 
slightly. 

Definition 2 . The prover A releases almost no information if there exist an e, 0 ^ « < 1, and a 
polynomial-time (simulating) machine S A ' such that for all CPTM's B', all initialising instances 
I A of length / 



?T(con V {[A;B'KI A )) = c) - ?i(outjmi{S A '(I A )) = c) 



< e'. 



For describing a cryptographic protocol in the model presented, we will use the same proto- 
col notation throughout the paper. The meaning of this notation is straightforward; only the 
next few things might need explanation: 

— Expressions shown on the left or right are known to that party only, and are secret from 
the other party. 

— T is the security parameter, agreed upon before the protocol starts. Increasing T reduces 
A's chance of successfully cheating exponentially, but increases the amount of communica- 
tion and computation only linearly. 

— e e„ S means that an element e is chosen at random from the set S, where all elements of 5 
have an equal probability of being chosen, independent of all previous events. 

— In some steps of the protocol a party checks if a particular equality holds; this is denoted 
as: check a $b. If the check fails, cheating is detected and the protocol halts. 

The proofs of security for our protocols are considerably simplified by the fact that there is 
essentially no two-way communication. The nature of the protocols presented here is such that 
the bits that B reads from his random tape, can also be generated by a mutually trusted random 
source. The correctness of the protocols lies in the randomness of the bits generated, however, 
there is no reason for B to hide these bits. If a protocol has this property, we say it is verifier- 
passive. 

Several coin flipping protocols are widely known which allow A and B to generate mutually 
trusted random bits, see e.g. [B182]. Below we briefly describe the general nature of these proto- 
cols. Let b e {0, 1} be a bit, r be some random padding, and assume that A and B agree on a 
function Fwith the following two properties: 

1) given the function F and the value F(r,b), the bit b cannot be computed by B; 

2) given the function F and the value F(r,b), a pair (r', b') for which F(r,b) = F(r',b') and 
b 7^= b' cannot be found by A. 

Then A and B can use the following protocol, called T, for generating mutually trusted random 
bits: 
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Protocol T: Coin flipping 
A 

b A {0, 1} ,r random 
/:= F(r,b A ) 
Step 1: f 



Step 2: 

<- 



Step 3: (r,b A ) 



Step 4: b B @b A 
< 



b B e« {0, 1} 



check / $F(r,b A ) 



Note that in this protocol the role of A and B can be interchanged, but this might depend 
on the model of computation. 

For generating bit strings of length T, this protocol can be extended to a protocol T T in 
two different ways: a sequential version, where T is repeated T times, and a parallel version, 
where both parties send message tuples of length T. We will use this coin-flipping as a sub- 
protocol. 

Because of the time ordering in the conversation, the meaning of each cell in the mailboxes 
of A and B is completely determined by II, the kind of protocol used, the security parameter T 
and the initialising instance I A . So in the mailboxes we can distinguish between sequences of 
cells dedicated to the coin-flipping protocol T T , and sequences of cells dedicated to the top-level 
protocol II. More formally, if b = (b i , . . . , bj) are the bits generated through IV, we define 
•n A {I A ,b) as those cells written by A (in B's mailbox) for protocol II only, with null symbols at all 
other places; similarly, y A (I A ,b) is the output of A with regard to Tj only, with null symbols at 
all other places. B's part of the conversation is split similarly in tr B and y B - For the simulating 
machines A' and S we define n A ' , y A ' , tt s and y$ on input l' A and b in the corresponding way. 

Theorem 1 . Suppose that the protocol II is verifier-passive, that a coin-flipping protocol Tf is 
used, and that a CPTM A' exists such that 

V I A , deQ,te {0, l} r : Pr(Tr A (I A $) = d) = Pr(^-(/^ $) = d). 
Then A releases no information through protocol II. 

Proof: We have to show that a polynomial-time simulating machine S A ' can be constructed 
which simulates the conversation between A and B. This conversation, i.e. the contents of ^4's 
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and B's mailboxes, can be split up in ir A , -n s , y A and yg- By assumption, ir A can be simulated 
by ir A ' ■ And irg consists of null symbols only, since II is verifier-passive; therefore its is also 
simulatable. In general, it is easy for S A ' to simulate Tj. However, while simulating II, machine 
A" has to guess in advance the bits b resulting from T T , otherwise the simulation fails. In the 
parallel version of T T the probability of A' guessing correctly all bits is only 2~ T . In the sequen- 
tial version of T T this probability is Vi in each round. But as soon S A ' realizes that the wrong 
coin is being simulated, the machine is reset to the state it had when that round was entered and 
tries that round again. Because of this fact, the error probability can be made arbitrary small. 
Though S A ''s expected running time is increased by a factor 2T when compared to A, the simu- 
lation still runs in probabilistic polynomial time. □ 

Theorem 2 establishes the analogous result regarding protocols which transfer almost no 
information. 

Theorem 2 . Suppose the protocol II is verifier-passive, that a coin-flipping protocol IY is used, 
and that an «, 0 < e < 1, and a CPTM A* exists such that for all CFTM's B', 



M*A(lA,b) = d) - Pr(Tr A -(I A ,b) = d) 



where / : = | I A \ . Then A releases almost no information through the protocol II. 

Proof: The proof is analogous to the proof of Theorem 1. □ 

Machine A' in the statements of Theorems 1 and 2 is called a prover-simulator machine or 
just an A-simuIator machine. 

From now on we denote the bits produced by a coin flipping sub-protocol T by the word 
COIN FLIPPING, and a two-sided arrow. Furthermore, Z# is the additive group ( mod N ); and 
Z# is the multiplicative group ( mod N ). 



3. Protocols for proving possession of the discrete logarithm modulo a prime number. 

The problem is the following : A knows a solution to the equation a* = ft ( mod P ), where we 
assume that x is randomly chosen from [l,P — 1]. P,a,B are public and B wants to be convinced 
that A knows x. A wants to convince B, but does not want to release any information about x. 

We will give two protocols for this problem. Our first example is an easier protocol; how- 
ever, it works only if a and ft both generate the same sub-group in Zp and A is willing to ack- 
nowledge this. If a and B do not generate the same sub-group, protocol 1 releases information 
about the index of <B> in <a>. An intuitive way to think about this protocol is to consider the 
expression h t : = a' made public as lying somewhere between a and B; upon getting the value of 
the bits, A shows either how to express /i, as a power of a, or how to express ft as a power of A, . 
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Protocol 1: a* = /8 ( mod P ); P, a,fi public; x with gcd(*,P - 1) = 1 a secret of A ; a,/8 generate 
the same sub-group. 



A,- : = a" 1 ( mod P ) 
Step 1: h u . . . , h T 



B 



Step 2: COIN FLIPPING: b u . . . , b T e* {0, 1} 
< 

if bi =0 then j; := e, 

if ft, = I then j, : = xe£ 1 (mod P - 1 ) 

Step 3: s\, . . . , sj 



> 

if 6, = 0 then check a' * fc, 
if b t = 1 then check h'' */8 



Theorem 3 . 

(a) A can cheat in protocol 1 with probability at most 2~ r if she does not know x, and 

(b) there exists a polynomial-time prover simulator A' . 

Proof: 

fa) Correctness: If ^4 does not know x, then she is not able to compute both possible exponents to 
be released in step 3. Hence she will get caught with probability at least Vi with each A, . Thus A 
will get caught cheating with probability at least 1 — 2~ r . 

(b) Security: We exhibit a simulator A' which, for random bits b\ bj, produces random 

h i , . . . , hr in Z/>, along with r t such that a' = /i, if =0 and s t such that hf = P ( mod P ) if 
f>, = 1. We construct A' as follows: 

^-Simulator for protocol 1: 

1: bi, . . . , b T B R {0, 1} 

2: If 6, : = 0 then s,- Z' P _ j and : = a' ( mod P ). 

3: If i, = 1 then Sj, Zp_! and /i, := , where a, ■ = sf 1 (modP — 1). 

4: Output h h bi and s, for i e { 1, . . . , T } . 

The reader can verify that the Z>,-'s, fy's, r,'s and V s produced by simulator A' have the same 
joint probability distribution as the corresponding numbers produced by A in an execution of 
protocol 1 . Note that the computations in step 3 can be done in polynomial time using Euclid's 
algorithm. By Theorem 1, protocol 1 reveals no information. □ 
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Protocol 1 has the advantage that it can be performed sequentially by using T = 1 and 
repeating step 1 to step 3 many times. Protocol 2 below can be proved to be secure only when it 
is performed in parallel; however, it can also be used if a and /? do not generate the same group. 



Protocol 2: a* = /? (mod P ); P, a, ft public; x a secret of A. 
A 

hj : — a' ( mod P ) 



B 



Step 1: 
Step 2: 



Step 3: 



Step 4: 



hi, . . . ,hj 



COIN FLIPPING: b u . . . ,b T {0, 1} 
< 

if bj =0 then : = e, 

if 2>, = 1 then Sj : = e t — ej ( mod P — 1 ), 

with j := tnin{i:bj = 1} 



-> 



-> 



-> 



if bj =0 then check a*' * ft,- 
if 6, = 1 then check a*' ^hjhj 1 



£:=*-<?; (modP-1) 



> 



check a* *$hj 



Theorem 4 . 

(a) A can cheat in protocol 2 with probability at most 2~ T if she does not know x, and 

(b) there exists a polynomial-time prover simulator A" . 

Proof: 

faj Correctness: Suppose that A does not know x. Then she will get caught with probability at 
least Vi for each h h for / ^= / This is because A can never answer both possible cases to be sent 
in step 2. Now, independent of what j is, A's chance of being caught with hj is also at least Vi, 
because she cannot know ej and pass the check after step 4. So the only way A can pass all the 
checks in step 3 and step 4 is by guessing correctly what the vector b will be. This happens with 
probability 1 — 2~ T . 

(b) Security: Note that protocol 2 is verifier-passive. We exhibit a simulator machine A' which 
produces messages and random bits which have the same joint probability distribution as mes- 
sages from A and mutually trusted random bits in an execution of the protocol. By Theorem 1 it 
then follows that protocol 2 releases no information. 

In the remainder of the proof we have K : = : b, =0} , L : = {i : b, ■ — 1} , k e K and / ei. For 
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random bits b \ , . . . , bj, A' must produce random h j , . . . , hj in Zp, along with such that 
a" = fa (mod P ) for each keK. For each /el, simulator ^4* must produce the difference 
si ■ ei — ej (mod P — l) satisfying a' = h t h~ x (mod P ), where j = min{i :i eL} . Finally, .4* 
must produce the difference f = x — «y ( mod P — 1 ) satisfying ofi = BhJ 1 ( mod P ). We con- 
struct machine A' as follows: 

A -Simulator for protocol 2: 

1: Ai, . . . ,f>r e « {0,1} . Let K and L be defined as before. 

2: For ie^ choose j*. e R Zj> _ 1 , and let "a 5 ' ( mod P ). 

3: Choose £ e R [l,/» — 1]. For / eL choose s/ e* - 1]. 
For / eL - {/} let A; := a ,,_€ /3. 

4: Let hj : = a~ ( B. 

5: Output /i, , f>,and s t f or i = 1, . . . , T, and |. 

Observe for step 4 that h, = a'~ S B = a'~ i+x = a to-*;>-(*-</) + * = ^ ^ {or step 5 ^at 
hj = a~^B = a _(;t ~ ey)+JC = a'. Now it follows immediately that the b h the e h the A fc) the j/ and 
the £ produced by A' have the same joint probability distribution as the ones produced by A in 
an execution of protocol 2. □ 

The crucial difference between A and A' is, that the simulator A' does not know the actual 
values of the e t (because it does not know x), but only their differences ( mod P—l). Since the 
protocol does not reveal the actual values of e; and x, but only their difference with ej taken 
( mod P — l), the protocol is secure. 

4. A protocol for proving possession of a discrete logarithm modulo a composite public 
key. 

In this section we consider the analogues of protocols 1 and 2 modulo composite numbers, where 
we assume that the proving party A knows the factorization of N (henceforward called N A ). 

So the problem is the following: A knows a solution to the equation or* = B ( mod N A ), 
where N A is a composite modulus whose factorisation is known to A only. Again a,B are public 
and B wants to be convinced that A knows x. And A wants to convince B, but does not want to 
release any information about either x or the factorization of N A . Note that the operations on the 
numbers themselves are carried out modulo N A , but on the exponents modulo <K^a )• 

First consider the analogue of protocol 1. As is easily verified, the protocol is feasible, but 
cannot be proven to be secure. The crucial point here is that when we look at the simulator for 
protocol 1, this simulator cannot execute step 3 since it does not know <t>(N A ) (namely, this is 
essentially equivalent to knowing the factorisation of N A ). The simulator must generate pairs 
(h,s) for which h s = B ( mod N A ). But since we cannot prove that any simulator can do this in 
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polynomial time (in fact this does not seem very likely), this modification of protocol 1 cannot be 
proven secure. 

As we will show now, protocol 2 can be used for composite numbers as well, be it at the 
cost of a very small probability of insecurity. 

Protocol 3: a* = B (mod N A ); N A ,a,R are public; x and the factorization of N A a secret of A. 

This protocol is exactly the same as protocol 2 except that exponents are chosen modulo 
<KNa)- The sums and differences of exponents are also revealed modulo 4>(N A ). 

Theorem 5 . (a) A can cheat in protocol 3 with probability 2~ T if she does not know x, and 
(b) there exists a polynomial- time prover simulator A' that produces a conversation with almost 
the same probability distribution. 

Proof: 

(a) Correctness: the same as for protocol 2. 

(b) Security: The added complication is that A must not only know x, but, in order to perform 
the protocol, must also know the value of <KN A ). Hence the possibility arises that A may release 
some information about the factorization of N A . However, we can use the same simulator 
machine A' as in the proof of security for protocol 2, except that A' chooses exponents uni- 
formly from the set {1,..., N A } . We can do this since the construction for A' involves no 
exponent arithmetic modulo <P(N A ). Thus the value of <t>(N A ) is not used by A" . The resulting 
probability distribution is not identical to the one generated by A, who choses her exponents in 
[1,..., <tf,N)]- However, a straightforward computation shows that the difference of these distribu- 
tions, as expressed by the sum of absolute differences in definition 2, is negledgibly small. Use 

here that — is exponentially small in the size of N A (assuming that N A is the product 

of two prime numbers of nearly the same size). Thus protocol 3 releases almost no information. □ 



5. An insecure protocol for proving possession of a discrete logarithm modulo a compo- 
site number when the factorization of the number is not known. 

The problem is the following: A knows a solution to the equation or 1 = ft ( mod N ), where N is a 
composite modulus. a,B are public and B wants to be convinced that A knows x. A wants to 
convince B, but does not want to release any information about x. Here A does not know the 
factorization of N. 

Protocol 4: a* = B ( mod N ); N,a,fi are public; x a secret of A; A does not know a factor of N. 

This protocol is the same as protocol 3 except that exponents are randomly chosen between 
1 and N. Sums and differences of exponents are not reduced modulo <#>(#) (since A does 
not know <j>(N)) and are instead released as integer sums. 
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Theorem 6 . Protocol 4 releases information with regard to definition 2. 

Proof: As before, K : = {;:&, = 0} , L := {(':£>, = 1} , k eK and IeL. Define 

J max : — max {■*/ : /eL} , and similarly. Because we treat the 5/ and the ei as integers, there 

is no wrap around modulo <f<jV). So s max -s^ = (s max +ej) - (s^ +ej) = 

e max — e min — '■ ^ note that X is the length of the smallest interval containing all e/, for le.L. 

Because emin e[l,iV] and ^max = + Xe[l,JV] we find that e[l,N — X]. This implies 

that* = Cmin + - (emin-e,-) = emin +^-j min e[l+?-^ min ,^-X+^-i m i 11 ]- Now 

it is immediately clear that A' , who does not know x, cannot produce a conversation with the 

same probability distribution as A. This proves that protocol 4 leaks information in the sense of 

definition 2. □ 

We consider the Shannon information released by protocol 4. When X is very close to N, 
then the number of possible values for x drops from N to N — X. It is easy to see that when the 
number of equally likely possibilities reduces with a factor 2~ m , then m bits of Shannon informa- 
tion are revealed. This (or a similar computation using entropy) shows that the amount of infor- 
mation released by this protocol equals log2 (N / (N — X)) = log2 ( 1 — X / N)~ x . Let A denote 
the stochastic variable for the length of the interval, and let ?r(A=X) be the probability that X is 
the length of the interval. Then we define the average release of information as 
N 1 

2 Pr(A=X) log2 — — . A straightforward computation of this sum shows that the aver- 
x=i (1 — X/A') 

age release of information for this protocol is approximately log2 | L \ < log2 T, where | L | is the 
cardinality of L. 

6. A protocol for proving that two elements generate the same group in z' P or Z' N . 

Let aeZf or Z#, and let <a> denote the multiplicative subgroup generated by a. Protocol 1, 2 
or 3 can all be used to show that <a> = </J> provided that A knows a relation between a and /?. 
Note that proving that <a> = </}> is a problem not known to be solvable in polynomial time 
even modulo a prime number. 

Protocol 5: <a> = </?> in Zjv; a, ji and N are public; x for which a? = (S (mod N) is a secret of 

A. 

Use protocol 1,2 or 3 in both directions: A shows to B that she knows how to express /? as 
a power of a and how to express a as a power of ft. 

The correctness of this protocol is easy to understand: <a> = </?> if and only if there exists an x 
such that or* = $ ( mod N ) and a y such that = a ( mod N). A knows x and <XA0, thus A 
can compute _y = x ~ 1 ( mod <}>(N )) in polynomial time. So A can perform protocol 1, 2 or 3 in 
both directions, thus showing knowledge of both x and y. The security of sequential use for these 
protocols lies in the kind of security proved. In the terminology of Berger, Kannan, Peralta 
[BKP85], the proofs of security of protocols 1-3 show that these protocols are strongly secure and 
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therefore can be executed one after the other without loss of security. 

7. Applications and open problems. 

We conclude with an application and two open problems: 

/. Diffie-Hellman Key Exchange can be made more secure: 

In a fair execution of the so-called Diffie-Hellman Key Exchange protocol [DiHe76] both parties 
choose an exponent x A and x B , they send B A : — a A ( mod P ) and B B : = a" ( mod P ) to each 
other, and they use B B A — B A " as their secret communication key. 

Now suppose B has two polynomial time algorithms F\ and F 2 . On input a, P, B A algo- 
rithm Fx yields 5, which B uses as his Bg. Using ^ as a key. A sends a message to B. This 
message, together with a, P, B A , is fed to algorithm F 2 which has x A as output. 

As far as we know it has not been proven that such algorithms F^ , F 2 and such S do not 
exist. This would be undesirable, because when B knows x A he can pretend to be A to a third 
party. Using protocol 1 or 2 in this paper we can extend the Diffie-Hellman Key Exchange pro- 
tocol by requiring both parties to show they know the discrete logarithm x. Then for B's attack 
to work, he would have to know log,, S besides 8. But as is easily verified, this implies that B has 
a polynomial algorithm for the Discrete Log Problem (he can himself simulate the message sent 
by A). 

2. Can the same protocols be used with two generators? 

Suppose that A wants to prove she knows x \ and x 2 such that a* 1 a 2 z = fi ( mod N ). Note that 
the status of this "Relaxed" Discrete Log Problem is not clear. 

3. How hard is it to find any root of a given number B modulo a composite N of which the factori- 
zation is not known? 

This is the problem mentioned at the end of section 3: can one find in polynomial time a pair 
(h, s), s > 1, which is a solution for h s = B ( mod N ), or is this problem reducible to a hard 
problem? 
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Cryptographic Capsules: 
A Disjunctive Primitive 
for Interactive Protocols 

Josh Cohen Benaloh* 



1 Introduction 

This paper describes a deceptively (almost embarrassingly) simple technique, that 
of cryptographic capsules, which allows Alice to convince Bob that either X or Y is 
true without giving Bob any information as to which is the case. Capsules are an 
instrumental part of the machinery used to compose ballots in the cryptographic 
election scheme of [CoFi85] (see also [Coh86], [Ben86], and [BeYu86]), but they 
have far broader applications. Use of capsules substantially simplifies the "zero- 
knowledge" interactive proof system for quadratic non-residuosity published in 
[GMR85]. Their use also provides a tremendous simplification of the "result- 
indistinguishable" interactive proof system published in [GHY85]. Capsules have 
been incorporated into the zero-knowledge protocol for interactively proving non- 
isomorphism of graphs described in [GMW86]. Finally, capsules are shown here 
to provide a mechanism more efficient than that of [GMW86] by which Alice can 
convince Bob (in a zero-knowledge fashion) of the validity of any MP predicate. 

Despite their simplicity, it seems that the applications of capsules may go far be- 
yond those mentioned here, and capsules have the potential to become a standard 
primative construct for many kinds of interactive protocols. 

2 Cryptographic Capsules 

A cryptographic capsule (or simply capsule) is a randomly ordered collection of 
objects, each of which is of some specified form. The order of the elements of 
the capsule is randomly permuted to hide which element is of which type; or, 
alternately, some easily computable ordering function (such as <) can be applied 
to the capsule to obscure the original ordering. 

"This work was supported in part by the National Security Agency under Grant MDA904-84-H-0004. 

A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPTO '86, LNCS 263, pp. 213-222, 1987. 
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A simple example of a capsule is a pair of integers — one of which is even and 
one of which is odd, e.g. (4,13). This capsule, however, is not very interesting 
because it is readily apparent which is the odd integer and which is the even 
integer. 

A somewhat more useful capsule may be an (unordered) pair of integers {ni, 7*2} 
with ni = pi<7i where pi and q\ are each primes congruent to 1 modulo 4 and 
m = P292 where pi and 92 are each primes congruent to 3 modulo 4. 

If we assume that distinguishing between these two cases is hard, then this 
suggests a simple method for flipping a coin over a telephone. Alice prepares such 
a pair and transmits it to Bob; Bob then selects one element from the pair and 
transmits his choice to Alice; finally, Alice reveals the factors of both n x and n% to 
Bob. We may say that the coin flip is heads if Bob chose the element with factors 
congruent to 1 modulo 4 and tails otherwise. 

This is not an ideal example, since Alice could have simply transmitted a single 
integer of one of the two preceding classes and waited for Bob to guess which 
class it was from. The real power of capsules comes from the ability to prove 
interactively that a capsule is of the required form without the need to later reveal 
secret information about its contents. 

3 Residue Classes and Capsules 

Most of the interesting applications of cryptographic capsules so far explored in- 
volve their use with residue classes. The feature of residue classes which is im- 
portant for this application is that two integers can be shown to be of the same 
residue class without giving any information about the actual residue classes to 
which the integers belong. 

Formally, for any given integers n and y, y is said to be an r th residue modulo n 
if and only if there exists some integer x such that y — x T (mod n). The following 
lemma characterizes residue classes. 

Lemma 1 Let <p(n) denote the Euler totient function, and choose n and r such 
that r\ip[n) and r 2 j(>-p{n). If y is relatively prime to n and is not an r lh residue 
modulo n, then every w which is relatively prime to n is expressible as w = x r y' 
(mod n) for a unique integer i in the range 0 < i < r. 

This i is the residue class of w with respect to n, y, and r. 

An important (although slightly variant) special case occurs when r = 2, and 
n is the product of two distinct primes. We ignore the choice of y here and denote 
the set of quadratic residues by class 0 and the set of quadratic non-residues with 
Jacobi symbol 1 by class 1. 

A property of residue classes is apparent from the definition. 
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Lemma 2 If Xi and z 2 are members of residue classes ii andii, respectively, then 
the product X\x<i is a member of residue class iy + %2. 

Note that for all integers i, residue classes i and i + r are different denotations 
of the same class. The canonical denotation of a residue class / will be the unique 
class i with 0 < i < r such that i = I (mod r). 

Finally, the following lemma shows how two integers can be shown to be of the 
same residue class. 

Lemma 3 Two integers xi and x 2 which are relatively prime to n are of the same 
residue class with respect to n, y, and r if and only if there exists some integer v 
such that v r = xi/xo (mod n). 

Thus, to prove that two integers are of the same residue class, it is necessary 
only to exhibit an r th root of their quotient. 

4 Some Applications 
4.1 Elections 

In the cryptographic election work of [CoFi85], each voter prepares, as a ballot, 
a capsule which consists of of a random member of residue class 0 (denoting a 
no vote) and a random member of residue class 1 (denoting a yes vote). Later, 
each voter will designate one of the components of his or her capsule as the actual 
vote. The votes can then be multiplied together, and (by Lemma 2) the resulting 
product is a member of residue class t, where t is the total number of yes votes. 
A powerful agent (such as a government) which holds the factorization of the 
modulus n used can then prove to all participants that the computed product is of 
residue class t without giving any additional information about the residue classes 
of the factors, thus protecting the privacy of the individual votes. 

Where do capsules come in? It is essential that the vote cast by each voter be 
a member of either class 0 or class 1. If a voter were, for example, able to cast a 
vote of class 1,000,000, then this one vote would increment the tally by 1,000,000. 
The voter, however, does not want to reveal to which of class 0 or class 1 his or 
her vote belongs. 

To prove that a chosen capsule C is of the required form, a voter engages in 
an interactive proof (see [FMR84] and [GMR85]). Each voter prepares a set B of 
(say) 100 additional capsules — each one, as the original, consisting of a random 
member of residue class 0 and a random member of residue class 1. Random bits 
are then generated 1 , and used to partition B into sets S and T. The capsules of 

'We assume here that some generally trusted source of randomness can be obtained, perhaps by XORing 
random bits generated by all (or some trusted subset) of the participants. In the other protocols described, 
the number of agents is small (usually two), and the challenging agent can generate its own random numbers. 
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set S are all "opened" to prove that they each consist of a proper no vote and a 
proper yes vote. (To open a capsule, a voter "opens" each component w of the 
capsule by revealing integers x and i, i € {0, 1}, such that w = x r y' (mod n) — 
see Lemma 1.) Each capsule in T is shown to be "equivalent" to C by showing 
that it has one component of the same class as the first component of C and 
one component of the same class as the second component of C. (Recall that by 
Lemma 3, two integers can be shown to be of the same residue class by showing 
that there quotient q is an r th residue, and this in turn can be shown by exhibiting 
an r th root of q.) 

Once this process has been completed, it is known that every capsule in S is 
of the required form (one integer of class 0 and one integer of class 1), and every 
capsule of T is of the same form as C . Thus, C is of the required form unless 
every capsule in T is improper. Since the partition of B into S and T was chosen 
randomly after the capsules of B were prepared, C could only be improper if the 
partition were somehow guessed in advance. But the probability of doing this 
successfully is only 1 in 2 100 . Hence, there is extremely high confidence that C is 
a proper capsule, and the voter can then vote by selecting one of the components 
of C. 

Formal proofs that this procedure does not yield any extraneous information 
are included in [CoFi85]. 

4.2 Quadratic Residuosity 

The work on elections has been previously published (besides [CoFi85], see [Coh86], 
[Ben86], and [BeYu86] for some extensions), and the above sketch is included only 
to motivate the use of capsules. In section 4.2, we shall examine how the use of 
capsules can greatly simplify protocols which have been published in [GMR85] and 
[GHY85]. 

4.2.1 Zero-Knowledge Non-residuosity 

In [GMR85], a protocol is given whereby Alice convinces Bob that a given y 
is not a quadratic residue modulo a given n. (It is presumed that Alice has 
the factorization of n and that Bob does not.) Alice convinces Bob that y is 
not a residue by demonstrating her ability to distinguish members of a set X of 
randomly chosen residues from members of a set Y consisting of elements formed 
by multiplying other randomly chosen residues by y. If y were a residue, then all 
of the elements of X and Y would be random residues (class 0), and Alice would 
have no hope of distinguishing between them with better than a 50% chance. If, 
however, y is not a residue, then the elements of Y would be random elements 
of class 1. With the factorization of n, Alice can distinguish between elements of 
class 0 and elements of class 1 flawlessly. 



217 



In order to avoid acting as a residuosity oracle for Bob, Alice wants to be 
certain that the numbers she distinguishes between are generated by the protocol, 
i.e. before telling Bob whether a w which he has produced is a residue or a non- 
residue, Alice wants to be certain that Bob already knows which is the case (under 
the assumption that y is not a residue). To accomplish this, the authors include 
a rather cumbersome protocol in which Bob prepares (say) 100 elements of both 
types, "opens" those designated by Alice, opens additional elements to balance 
the types remaining, and applies one of four functions to w and each remaining 
element v according to the classes of w and v. 

The simple process of grouping the elements into capsules eliminates the need 
for the balancing and the four separate functions (as well as the accompanying 
analyses). The process is essentially the same as a one voter election (Bob is the 
voter and Alice is the government). 

Bob sends Alice a w generated either as a residue or as a product of a residue 
and y. Bob then prepares and sends to Alice (say) 100 capsules, each of which 
consists of a randomly chosen residue and the product of y and another random 
residue. Alice then randomly decides for each capsule whether or not it is to be 
opened. Those capsules designated by Alice are opened by Bob proving that they 
are of the stated form. From each remaining capsule, Bob chooses one element, 
which shall be denoted by x, and shows that x is of the same class as w by revealing 
a root of the quotient x/w — this demonstrates that if Bob can determine the class 
of x, he can also determine the class of w since they are the same by Lemma 3. 
As before, unless Bob already has sufficient information to determine the class of 
w without Alice's help, Bob has only 1 chance in 2 100 of successfully answering 
Alice's challenges. 

4.2.2 Result-indistinguishable Residuosity 

[GHY85] generalizes the result of [GMR85] in such a way that an observer, Carol, 
watching the protocol between Alice and Bob gains no information from the pro- 
tocol as to whether Alice convinced Bob that a given z was or was not a quadratic 
residue. 

The key addition to the protocol of [GMR85] is the inclusion of a third set of 
possibilities. Instead of choosing w from among just two sets X and Y , Bob may 
select from an additional set Z. Members of X are randomly generated residues 
(class 0); members of Y are randomly generated non-residues (class 1) — these can 
be produced by multiplying random residues by a known non-residue y; finally, 
members of Z are generated by multiplying random residues by z (all elements of 
Z are of the same class as z). 

To prove to Alice that she is not providing Bob with too much information, 
Bob must send Alice the (scrambled) members of 4 sets (essentially of the form 
of X, Y, Z, and ~Z — a complementary set to Z needed to maintain symmetry). 
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The remainder of the protocol is similar to [GMR85], except that the unrevealed 
portions of four sets instead of just two have to be simultaneously balanced (neces- 
sitating an even more arduous analysis), and a four by three table of functions is 
needed corresponding to which set w is a member of and which class each unopened 
element is a member of. 

By using three-component capsules, the protocol of [GHY85] can be simplified 
tremendously. Bob simply prepares a master capsule C, cosisting of one member 
of each of X, Y , and Z, and (say) 100 additional scratch capsules of the same form. 
Alice designates some subset of the scratch capsules, and Bob opens these. Bob 
then shows that each remaining scratch capsule is equivalent to C by matching 
components and showing that their quotients are residues. Alice (now convinced 
that C was generated as required) tells Bob which capsule component is of a class 
different from the other two — thus transmitting to Bob the class of z. 

The chance of Alice being fooled into revealing excessive information to Bob is 
only 1 in 2 100 . The chance of Alice fooling Bob in one iteration of this protocol is 
1/2, so by iterating the process, Bob can obtain extrememly (exponentially) high 
confidence that he has not been misled. Finally, it is not hard to show that Carol 
receives absolutely no information from watching this protocol that she could not 
have obtained on her own. 

The necessary proofs of both [GMR85] and [GHY85] remain unchanged except 
for some straightforward simplifications and the removal of some analyses which 
are no longer necessary when the revised protocols are used. 

4.3 Graph Non-isomorphism 

One example in which capsules are useful without the aid of residue classes is seen 
in a protocol for graph non-isomorphism described in [GMW86]. Their original 
protocol closely followed the non-residuosity protocol of [GMR85]. Here, a prover 
designates a graph H given by the verifier as either a permutation of graph Gi 
or of graph G2 only after being convinced that the prover already holds such 
a permutation. Their protocol now incorporates capsules in a manner similar 
that described in Section 4.2.1 (residue classes are replaced by the equivalence 
classes induced by graph isomorphism, and class equivalence is demonstrated by 
exhibiting permutations). With this modificiation, their protocol and its analysis 
have been simplified. 

5 Boolean Circuit Satisfiability 

Very recently (also in [GMW86]), Goldreich, Micali, and Wigderson gave a simple 
and elegant zero-knowledge interactive protocol to prove for any k that a graph 
is A;-colorable without revealing any information about a specific coloring (note 
that it is assumed that the prover possesses a fc-coloring of the graph). Because 
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^-colorability is MP-comp\ete, this means that any positive instance of a problem 
in MP for which a prover holds a certificate (e.g. a satisfying assignment for 
a Boolean formula) can be reduced to graph colorability and shown in a zero- 
knowledge fashion to be a positive instance. The only assumption made is the 
existence of a probabilistic cryptosystem which is implied by the existence of a 
one-way permutation ([GoMi84],[Yao82]). 

In this section, we shall examine an alternate approach which gives the same re- 
sult by a very different method. The method uses capsules to give a zero-knowledge 
protocol to interactively prove that a given Boolean formula (or arbitrary Boolean 
circuit with in-degree 2) has a satisfying assignment. Brassard and Crepeau in 
[BrCr86] independently of both this work and [GMW86] have achieved the same 
result, and a similar result is given in [Cha86]. 

The major advantage of this method over the original is efficiency. When a 
Boolean formula or circuit is reduced to a colorability graph, the number of vertices 
and edges in the resulting graph is linear in the size of the Boolean formula. 
Each stage of the interactive proof protocol of Goldreich, Micali, and Wigderson, 
however, requires a new encryption of the entire graph; and for any fixed confidence 
level desired, their protocol requires a number of stages which is linear in the 
number of edges in the graph. Thus, the number of probabilistic encryptions 
required by this protocol grows quadratically with the size of the graph (or circuit). 
Because of the local nature of the method presented below, re-encryption is not 
necessary, and the number of probabilistic encryptions required grows only linearly 
with the size of the circuit (or graph). 

The major disadvantage of this method compared to the original method is 
that the new procedure requires a (seemingly) stronger cryptographic assumption. 
Although both methods require a probabilistic encryption function — the best 
known of which is based on residue classes ([GoMi84]), the method given here 
requires a probabilistic encryption function for which two encrypted values can 
be proven (in a zero-knowledge manner) to be encryptions of the same value. 
Although this property is easily achieved by the residue class based probabilistic 
encryption (Lemma 3), it is not at all obvious that every probabilistic encryption 
function has this property. However, by observing that the problem of inverting 
a probabilistic encryption function is itself in MP, the original Goldreich, Micali, 
and Wigderson result can be applied to show that the cryptographic assumption 
required here is, in fact, no stronger than the assumption of the existence of an 
arbitrary probabilistic cryptosystem. 

5.1 The Satisfiability Scheme 

The basic idea of the scheme is again deceptively simple. If Alice wants to prove to 
Bob that a given formula is satisfiable (and Alice has a satisfying assignment), Alice 
begins by choosing an n which is the product of two large primes and providing 
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Bob with n and a y (with Jacobi symbol 1) which is not a quadratic residue 
modulo n. This is merely the establishment of a probabilistic encryption function. 
Alice can convince Bob that y is a non- residue by engaging in the non-residuosity 
protocol of section 4.2.1 or by choosing n of a special form so that (for instance) 
y = — 1 is a non-residue. 

Alice then draws a circuit to compute the Boolean function (in the obvious way), 
selects a satisfying assignment and sends Bob an encryption of this assignment (for 
each variable, Alice sends Bob a residue if that variable is False/0/Off and a non- 
residue if that variable is True/l/On). Alice then encrypts the output of each gate 
of the circuit in the same manner and sends Bob these encrypted values as well. 

For each gate in the circuit, Alice then interactively proves to Bob that the gate 
computes the required function. The computation of an AND gate will be shown 
here, and other Boolean functions will become apparent. 

To prove that a given gate computes an AND on its inputs, a full truth table 
for AND is used. There are, of course, four possibilities: either both inputs and 
the output are 0; the first input is 0, the second is 1, and the output is 0; the first 
input is 1, the second is 0, and the output is 0; or both inputs and the output 
are 1. A four-component capsule can now be prepared such that each of the four 
components of the capsule is itself an ordered triple. To compute AND, the four 
(unordered) components of the capsule consist of (ordered) triples whose elements 
are members of residue classes (0,0,0), (0,1,0), (1,0,0), and (1,1,1). Once a 
capsule C is interactively proven to be of this form, Alice selects the component 
which corresponds to the actual input and output values of the gate and proves 
that they match by releasing a square root of each quotient. 

To prove that a capsule C is of the above form, Alice prepares many (say 100) 
capsules of this form and Bob selects an arbitrary subset to be opened. Alice 
then proves that each unopened capsule matches C by matching corresponding 
components and releasing square roots of the quotients of all three elements of 
each triple to show that they do, in fact, match. 

Finally, Alice interactively proves that the output of the circuit is 1 by proving 
that this value is a non-residue as in section 4. 2.1. 2 

Remark Some gates may be computed without the need for an interactive proof. 
For example, an encrypted value may be complemented simply by multiplying it 
by y, and the XOR of two or more encrypted values is represented by their product 
(Lemma 2). 

A mechanism which could obviate the need for any interactive proofs to verify 
gate validity is highly desirable. An encryption homomorphism which allows the 
direct computation of AND or OR together with NOT would of course suffice, 
and this would allow satisfiablitiy to be proven with a single interactive proof of 

2 Chaum points out in his work that with a slight modification of this protocol, the need for this final 
interactive proof can be eliminated. 
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the value of the output. However, no such probabilistic encryption has yet been 
found. 



6 Conclusions 

The method of cryptographic capsules, especially (but not exclusively) when com- 
bined with residue classes, seems to be a powerful tool with many applications. 
This simple tool makes possible several protocols which would be impractical or 
completely impossible without them. In addition, several previously published 
protocols can be significantly simplified by the use of capsules. 

It is believed that capsules may have many applications which go well beyond 
those described here, and they may become a standard tool in the design of inter- 
active protocols. 
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ABSTRACT 

A zero-knowledge interactive proof is a protocol by which Alice can convince a 
polynomially-bounded Bob of the truth of some theorem without giving him any hint as to 
how the proof might proceed. Under cryptographic assumptions, we give a general technique 
for achieving this goal for every problem in NP. This extends to a presumably larger class, 
which combines the powers of non-determinism and randomness. Our protocol is powerful 
enough to allow Alice to convince Bob of theorems for which she does not even have a 
proof: it is enough for Alice to convince herself probabilistically of a theorem, perhaps 
thanks to her knowledge of some trap-door information, in order for her to be able to con- 
vince Bob as well, without compromising the trap-door in any way. 



1. INTRODUCTION 

Assume that Alice holds the proof of some theorem. A zero-knowledge interactive proof 
(ZKIP) is a protocol that allows her to convince a polynomially bounded Bob that she owns such a 
proof, in a way that he will gain nothing else than this conviction: engaging in the protocol with 
Alice gives Bob no hint on Alice's proof, or at least nothing he can make use of in polynomial time. 
In particular, it does not enable him to later convince anyone else that Alice has a proof of the 
theorem or even merely that the theorem is true (much less that he himself has a proof!). This notion 
was introduced by Goldwasser, Micali and Rackoff [GMR] ; the reader is refered to this paper for 
formal definitions. An intuitive notion of ZKIP suffices to understand this extended abstract. 

The early examples of ZKEP's were all number theoretic and restricted to problems in 
NP n co-NP [GMR, GHY]. It was conjectured by Silvio Micali, and believed by most researchers, 
that such protocols could not exist for NP-complete problems. Under cryptographic assumptions, we 
show here that this intuition was wrong by providing a ZKIP for satisfiability. The same result was 
obtained independently and slightly earlier by [GMW] as they gave a ZKIP for graph 3-colouring. 
Obviously (because Karp reductions carry NP certificates), it suffices to find a ZKIP for any 
NP-complete problem in order to get one for every problem in NP. Protocols very similar to ours for 
satisfiability are also given in [Be, Ch]. Our protocol is more attractive in practice than that of 
[GMW], but we depend on a specific cryptographic assumption (quadratic residuosity) whereas they 
merely need to assume the existence of secure encryption schemes in the sense of [GM]. 
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ZKIP's are conceivable even if Alice does not have a proof to start with. Let us assume that she 
merely has a convincing argument that the theorem is true. In this case, she might wish to convince 
Bob of the theorem with a level of confidence comparable to her own. This transfer of confidence is 
zero-knowledge if it does not provide a polynomially-bounded Bob with any information on the argu- 
ment itself, except for its existence and Alice's knowledge of it. Our main result is that such proto- 
cols exists for a class of problems probably more extensive than NP. 

To illustrate the ideas, let us assume that Alice wishes to convince Bob that some integer m 
(of her choosing) is the product of exactly k distinct primes. Alice is convinced of the truth of her 
claim because she randomly selected k distinct integers P\, P2> ' ' ~ < Pk that passed some probabilistic 
primality test [R, SS] to her satisfaction. Although proofs of primality for these factors exist since 
PRIMES e NP [Pr], there is no known feasible algorithm for Alice to get these proofs *. In other 
words, Alice knows (with an arbitrary small probability of error) that m is in the proper form, she 
knows there exists a short proof of this statement, but she cannot find the proof. Using our protocol, 
she can nonetheless convince Bob without compromising the factorization of m in any way (except 
for the fact that Bob will know the number of factors). 

The above example illustrates the fact that our model does not assume that Alice has more com- 
puting power than Bob nor access to some oracle. Although she starts with one piece of additional 
knowledge (either a formal proof of some theorem or merely a convincing argument), this may be the 
result of her using trap-door information. The entire protocol itself can be carried out with polyno- 
mial time resources. 

The general technique allows Alice to guide Bob through the simulation of an arbitrary Boolean 
circuit without ever having to disclose its inputs or any intermediary results. At the end of the proto- 
col, she can nonetheless convince Bob of the final outcome of the circuit. If this turns out to be 1, 
Bob will be convinced that the Boolean function computed by the circuit is satisfiable and that Alice 
holds a satisfying assignment, but he will known nothing else. The bottom line is that, whenever 
Alice can convince herself probabilistically of a fact or theorem, perhaps thanks to her knowledge of 
some trap-door information, she can convince Bob as well without compromising the trap-door. 

2. NUMBER THEORETIC BACKGROUND 

Let n be an integer. denotes the set of integers relatively primes to n between 1 and n—\. 
An integer z s Z* is a quadratic residue modulo n (z s QRJ if there is an x e Z„ such that 
z = x 2 (mod n). An integer z e Z^ is a quadratic non-residue modulo n (r e QNR„) if z £ QR„ • 
If p is a prime and if z e Z^ , it is easy to determine whether z e QR p because this is so if and only 
if z^P~ V)a = 1 (mod p). Let n = pq be the product of two distinct odd primes. Given z e Z* , let z p 
and z q denote (z mod p) and (z mod q), respectively. Given the factorization of n, it is easy to deter- 
mine whether z e QR„ because this is so if and only if z p e QR ? and z q e QR ? . Given the factoriza- 
tion of n and given z e QR^, it is also easy (by a Las Vegas algorithm in general [Pe]) to find every 
x e Z* such that z = x 2 (mod n). This is however believed to be hard without the factorization of n. 

1 Goldwasser and Kilian's new provably correct and probably fast primality test [GK] allows Alice to 
"efficiently" (the running time is currently a 12th power polynomial) get short proofs for those primes on 
which the algorithm turns out to be fast. This might reduce the interest of this particular example, but not 
the interest of our general protocol. 
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Given z e Z„, the Jacobi symbol (z/n) is defined as +1 if both z p and z q are quadratic residues 
modulo p and q, respectively, or if both are quadratic non-residues; it is defined as -1 otherwise. It is 
easy to compute (z/n) even if the factorization of n is unknown [RSA]. Let Z„[+l] denote the set of 
z 6 Z* such that (z/n) = +1 and define Z*[-l] similarly. Let QNRJ+1] denote QNR„ n Z*[+l]. 
It is clear that Z*[-l] c QNR„; moreover, exacdy half the members of Z*[+l] are quadratic resi- 
dues modulo n and the other half are quadratic non-residues. Both Z^[+l] and QR„ are closed under 
multiplication modulo n, the product modulo n of two members of QNRJ+l] is a member of QR„, 
and the product modulo n of a member of QR„ by a member of QNR„[+1] is a member of 
QNR n [+l]. A uniformly distributed random element of QR„ can be obtained by randomly choosing 
some x e Z rt and squaring it modulo n\ given any fixed y e QNR„[+1], a uniformly distributed ran- 
dom element of QNRJ+1] can be obtained by randomly choosing some x e TL n and computing 
x 2 y mod n. Furthermore, everything we have said so far, except for the definition of the Jacobi sym- 
bol, remains true if n is of the form p'q J , where p and q are distinct odd primes and i and j are posi- 
tive powers of which at least one is odd. 

It is believed that no efficient algorithm can distinguish a quadratic residue from a quadratic 
non-residue, even probabilistically speaking, as long as the latter has Jacobi symbol +1 and the fac- 
torization of n is unknown. For a more formal statement of this quadratic residuosity assumption 
(QRA) and for more background on number theory, please refer to [GM]. 

3. THE ENCRYPTION OF SECRETS 

At the beginning of our protocols, Alice randomly chooses two distinct large primes p and q, 
and she discloses their product n = pq to Bob. Following the QRA, we assume throughout that Bob 
cannot distinguish a quadratic residue modulo n from a quadratic non-residue, as long as the latter 
belongs to Z*[+l]. Alice also randomly chooses and discloses to Bob some y e QNR„[+1]. (It is 
proven in [GM] that this cannot help Bob distinguish residues from non-residues.) Using the zero- 
knowledge interactive protocol of [GHY], Alice convinces Bob that n is of the form p'q 1 for distinct 
odd primes p and q, and positive integers i and j of which at least one is odd 2 . Using the zero- 
knowledge protocol of [GMR], Alice convinces Bob that y e QNR n [+l]. 

At this point, Bob could produce uniformly distributed random members of QR„ and QNR„[+1] 
by choosing a random x e Z* and computing either x 2 mod n or x 2 y mod n. The fact that only Alice 
can distinguish between these two occurrences was the basis of Goldwasser and Micali's original pro- 
babilistic encryption [GM]. Here, we use this idea in the reverse direction: it will always be Alice 
that produces random members of QR„ and QNR n [+l]. By convention, members of QR„ are used as 
encryptions of the bit 0 and members of QNRJ+l] are used as encryptions of the bit 1. Whenever 
Alice shows Bob the encryption z of some bit b, he has no clue as to which bit it encodes (under 
QRA). It is however possible for Alice to prove to Bob whether b = 0 or b = 1 by showing him 
some teZ* such that z = x 2 y b mod n. This operation will be refered to as opening the 
secret z. Notice that this is a zero-knowledge proof even though a square root of either z or zy -1 is 
given to Bob, because x was randomly chosen by Alice. For this reason, whenever she wishes to 

2 It would be nicer if .-Mice could convince Bob directly that n is of the form pq, but we offer in the 
sequel the first ZKIP capable of achieving this (and therefore we cannot use it yel). This is however of no 
consequence because Alice could only make herself more vulnerable by choosing n = p'q' without i-j= 1. 
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open a secret z, there is no need for Alice to use the ZKIP of [GMR] in order to convince Bob of 
which among zy _1 or z belongs to QNR„[+1]. We give in the last section of this paper a simplified 
ZKIP for quadratic residuosify when the target is chosen by Bob. 

4. CAN BOB COMPUTE ON ENCRYPTED BITS? 

Let bi and b 2 be two secret bits of Alice, and let z x and z 2 be their encryptions as given to Bob. 
Even though Bob has no knowledge of b l or b 2 , he can still compute an encryption of some func- 
tions of b x and b 2 . For instance, Bob can compute z x y mod n, which is an encryption for the nega- 
tion of b x . Similarly, Bob can compute z x z 2 mod n, which is an encryption of the exclusive-or of b x 
and i> 2 because if z x = x\y^ mod n and z 2 = x\y bl mod n, then 

z x z 2 mod n = (xix z ) 2 mod n = x2 mod 2 mod n, 

where x = x^* 4 ** dlv 2 mod n. 

Could Bob compute an encryption of the and or the or of b x and b 2 given only z x and z 2 ? This 
remains an open question. We will show, however, that it is possible for Bob to do so with the 
(zero-knowledge) help of Alice. As a corollary, Bob can compute an encryption of arbitrary Boolean 
functions of bits for which he only has encryptions. After this computation, Alice can open the result 
for Bob without ever having had to open the input Boolean variables or any intermediary informa- 
tion. This idea leads to a simple ZKIP for SAT in Section 6. 

5. HOW ALICE CAN HELP BOB COMPUTE ON ENCRYPTED BITS 

Let u = b x b 2 " ' " b k be a fc-bit string of Alice. For each i, 1 < / < k, let z t and be two encryp- 
tions of £>,- randomly chosen by Alice. It is easy for Alice to convince Bob that the Jt-bit strings 
encrypted by z x z 2 • ■ • z k and z x z 2 ■ ■ ■ z k are identical without providing Bob with any additional 
information. 

String equality protocol: For each i, 1 ^ i < k, Alice gives Bob some x t e Z„ such that 
z;Zj = x\ (mod n). Once again, this is a ZKIP because the encryptions were randomly 
chosen by Alice and not influenced by Bob. □ 

As above, let u = b x b 2 • ■ • b k and let z,- encrypt b t for each i, 1 < i < k. Now, let 
it = b\b 2 • • ' b k be some it-bit string different from it and let z ; be an encryption of for each i, 
1 < i < k. It is no longer so obvious that Alice can convince Bob that the strings encrypted by 
Z[Z 2 ■ " • Zjt and zjZ2 • ' • z k are different without yielding some additional information (such as a 
specific i for which b t * bj. The fact that this is possible, and the technique that achieves this proto- 
col, illustrate the core of our main result. 

String inequality protocol: For each i, 1 < i < k, let v ; = z,f; mod n. The problem reduces 
to convincing Bob (by a ZKIP) that the string encrypted by V]V 2 • • ■ v k is not identically 
zero. For this, Alice randomly chooses some permutation c? of {1,2, • ■ • ,k} and e 
for 1 <i<k. She then computes and discloses to Bob w i = xfv a ^ mod n for each \<i<k. 
At this point, Bob sends either challenge A or challenge B to Alice. 
• If Bob sent challenge A, Alice must disclose some / such that w i encrypts a 1, and 
open this w i for Bob by giving him a square root of vv,y _1 modulo n. 
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• If Bob sent challenge B, Alice must disclose the permutation o and use the string 
equality protocol to convince Bob that w x w 2 ■ • • w k encrypts the same string as 

v o(l) v o(2) ' " ' v a(k) ■ 

This process is repeated s times, for some safety parameter s agreed upon between Alice 
and Bob. In order to convince Bob, Alice must meet every single challenge. □ 
Theorem 

(i) The only knowledge obtainable by Bob from this protocol is that z x z 2 ' ' ' z k m< ^- 

' ' ' Zk encrypt distinct bit strings, and 

(ii) Alice only has a probability 2~ s of convincing Bob of this when in fact the strings 
are identical. 

Proof (sketch). 

(i) Observe that whenever Bob chooses challenge A, he learns that the original bit 
strings are distinct in at least one place (if Alice was honest), but this gives him no 
clue as to any single i such that i>; * b i because the permutation o is then kept secret. 
On the other hand, whenever Bob chooses challenge B, he gains no information 
whatsoever on the original strings. 

(ii) If in fact v\v 2 - ■ ■ v k encrypts the identically zero string, the only thing Alice can do 
to hope convincing Bob of the contrary is to guess exactly which challenge Bob will 
choose for each round and to encrypt non-identically zero strings with w x w 2 • ■ ■ w k 
whenever she expects Bob to use challenge A and identically zero strings otherwise. 
The results follows from the fact that there are V equally likely sequences of choices 
for Bob. □ 

We are now ready for the main tool used in this paper. Consider any Boolean function 
6 : {0, 1}' -> {0, 1} agreed upon between Alice and Bob, and any bits b 1 , b 2 , • • • , b, known to Alice 
only. For 1 < i ^ t, let z ; be an encryption of b i known to Bob. Let b = B(p\ , b 2 , • ' • , b t ). 
Alice can produce an encryption z for b and convince Bob that z encrypts the correct bit without giv- 
ing him any information on the input bits b t , b 2 , • ■ • , b, nor on the result b. 

Definition. A permuted truth table for the Boolean function B is a binary string of length 
(r+l)2 f formed of 2' blocks of t+l bits. The last bit of each block is the value of B on the 
other t bits of the block, and each assignment of truth values occurs exactly once in the 
first t bits of some block. For example, here is a permuted truth table for the binary or : 
011000111101, which should be read as 0 or 1 = 1, 0 or 0 = 0, 1 or 1 = 1 and 1 or 0 = 1. 
Boolean computation protocol: Let the situation be as in the paragraph just before the 
above definition. Alice randomly chooses a permuted truth table for B and she discloses 
encryptions for each of its bits. At this point, Bob sends either challenge A or challenge B 
to Alice. 

• If Bob sent challenge A, Alice must open the entire encryption of the permuted truth 
table, so that Bob can check that it is a valid truth table for B. 

• If Bob sent challenge B, Alice must point out to the appropriate block in the encryp- 
tion of the permuted truth table and use the string equality protocol to convince Bob 
that zjz 2 • • ■ z t z encrypts the same bit string as this block. 
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This process is repeated s times, for some safety parameter .r agreed upon between Alice 
and Bob. In order to convince Bob that 2 is an encryption for B(b lt b 2 , ■ ■ ■ , b t ), Alice 
must succeed in meeting every single challenge. □ 
A theorem very similar to the one for the string inequality protocol can be stated and the proof 
is essentially identical. Notice that this protocol is interesting only for small t because it is exponen- 
tial in t. In the sequel, we will use it exclusively with : <. 2. A very similar Boolean computation pro- 
tocol was discovered independently by Josh Benaloh [Be] as an application of the general tool of 
"cryptographic capsules" [CF], 

6. ZKIPFORSAT 

The zero-knowledge interactive proof for satisfiability should now be obvious. Let 
/:{0, 1}*— > {0,1} be the function computed by some satisfiable Boolean formula for which Alice 
knows an assignment b x , b 2 , ■ ■ ■ , b k e {0, 1} such that f(b r , b 2 , ■ ■ • , b£ = 1. Assume the 
Boolean formula is given using arbitrary unary and binary Boolean operators. In order to convince 
Bob that the formula is satisfiable, Alice produces encryptions i\ , z 2 , ■ • ■ , z k of b x , b 2 , ' ' • , b k , 
respectively. She then guides Bob through the encrypted evaluation of the formula, one Boolean 
operator at a time 3 , using the Boolean computation protocol (with t < 2). This results is an encryp- 
tion z for the value of f(b l , b 2 , • • ■ , bf). It then only remains for Alice to open z and show Bob 
that it encrypts a 1 . 

7. ZKIP FOR THE NUMBER OF PRIME FACTORS 

Let us now come back to the problem mentioned in the introduction. Alice has selected k dis- 
tinct primes pi , p 2 , ■ • • , p k and she has formed their product m = p-j> 2 ■ ■ ■ p k . She wishes to con- 
vince Bob that m is indeed the product of exactly k distinct primes. Let / be the number of bits in m. 
Each factor will be considered as a length / binary string, with leading zeroes if needed. As a first 
step, Alice encrypts each of the factors and she discloses these encryptions to Bob. The string ine- 
quality protocol is used to convince Bob that the factors are all distinct and that none of them is 
equal to 1. She then guides Bob through the simulation of a Boolean circuit for iterated multiplica- 
tion. This produces the encryption of a length kl bit string, which Alice opens to show that it 
encrypts (k-V)l zeroes followed by the binary representation of m. 

At this point, Alice still has to convince Bob that each of these factors is a prime. If she had a 
proof of this, she could encode it as the input to a proof verification Boolean circuit and guide Bob 
through its evaluation. Recall, however, that her conviction that each of the p t is prime comes from 
her own running of a probabilistic primality test. None of these runs can be considered as convincing 
by Bob because he cannot trust that Alice was honest in her coin tosses. 

This is where our technique is most powerful. Consider a Boolean circuit with two /-bit inputs p 
and c that outputs 1 if and only if c is a certificate that p is composite (where primes have no 
certificates and composites have lots [R, SS]). Recall that Bob was given by Alice an encryption of 
each bit of each p t . With the help of Alice, he can run as many randomly chosen c's as he wishes 
into the circuit for each p ; and ask her to open the circuit outcomes. If he ever gets a 1, he will know 
for sure that the corresponding p ; is composite and that Alice had been cheating (or perhaps that 



To save on the number of communications rounds, the various operators can be processed in parallel. 
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Alice was honest after all, and that she just discovered with him that this pi is composite!). Other- 
wise, since he has complete control over the c's, he can convince himself, with any level of 
confidence, that m is the product of exactly k distinct primes. This protocol can be adapted if Alice 
wished instead to convince Bob that there are exactly k distinct primes in the factorization of m, 
regardless of their multiplicities. A more practical variation allows Alice to convince Bob that 
the prime factors of n have interesting properties, such as being of the form 2q+l, where q is 
also a prime. 

8. THE GENERAL PROTOCOL 

Recall that BPP stands for the class of decision problems that can be solved in probabilistic 
polynomial time with bounded error probability [G]. It is reasonable to consider BPP as the real 
class of tractable problems (rather than P) because the error probability can always be decreased 
below any e > 0 by repeating the algorithm cloge -1 times and taking the majority answer, where c 
depends only on the original error probability. It is generally believed that there is no inclusion rela- 
tion either way between NP and BPP: non-determinism and randomness seem to be incomparable 
powers. These powers can be combined in several ways. We believe the most natural to be Babai's 
class MA [Ba], which we would rather call RNP as random NP. This class is such that 
NP u BPP c RNP, hence NP is almost certainly a strict subset of RNP. For a discussion as to why 
we favour MA over the seemingly more powerful AM or interactive proof systems [GMR], please 
consult [BC]. 

Definition. Let 2 stand for {0, 1}. A decision problem X QZ* belongs to RNP if and 
only if there exists a predicate A c £ x £ and a polynomial p(n) such that 

(i) A s BPP, and 

(ii) (Vx e eXo(lae £*)[|a| = p(\x\) and <x,a> e A]] 

(such an a is refered to as an argument for x). □ 

Notice that this would correspond to the polynomial hierarchy characterization of NP had we insisted 
that A e P. The restriction \a\ = p(\x\) instead of the usual \a\ < p(\x\) is there for a technical reason. 
Notice also that X e NP whenever A e NP. 

Intuitively, X £ RNP means that whenever x s X, there is a (possibly hard to find) short argu- 
ment for this, and that the validity of this argument can be checked probabilistically in polynomial 
time. We are about to prove that if X e RNP, if the proof that X e RNP is in the public domain, and 
if Alice knows an argument a for some x e X, she can convince Bob with a ZKTP that x sX. As a 
warm up, let us first restrict ourselves to one-sided probabilistic algorithms. 

Recall that RP (sometimes refered to as R) is the class of decision problems that can be solved 
in polynomial time by a one-sided bounded error probabilistic algorithm [A], Here, each time the 
probabilistic algorithm is run on a yes-instance, it accepts with probability at least l /z, whereas it 
always rejects no-instances. It is well known that RP c NP n BPP and that co-RP c BPP, but 
co-RP and NP are probably incomparable. Whenever x is a yes-instance of a co-RP problem, one 
can convince him/herself that this is so (by repeating the algorithm), but there does not have to exist 
a succinct proof of this. 
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Theorem (under QRA). Consider a problem X e RNP such that the corresponding A 
(refer to the definition of RNP) belongs to co-RP. Assume that the characterization A for X 
and a co-RP algorithm for A are in the public domain. Let Alice have an argument a for 
some x e X. Although she may not have a definite proof that x eX, she convinced herself 
probabilistically that <xjo e A, hence x s X. It is then possible for Alice to convince Bob 
in polynomial time that x e X without disclosing any additional information. 
Proof (sketch). Alice and Bob agree on a probabilistic one-sided Boolean circuit for the 
complement of A. (That is : on any yes-instance of A, using any random choices, the circuit 
outputs a 0 ; on any no-instance of A, the circuit outputs a 1 for at least 50% of the random 
choices.) Alice gives Bob an encryption for each bit of x, and she opens them to show that 
they encrypt x. Alice also gives Bob an encryption for each bit of a, but she keeps a itself 
secret. She then guides Bob through the evaluation of the Boolean circuit on input <x,a>, 
using Bob's coin tosses, until the encrypted outcome is obtained. She then opens this out- 
come to Bob, who can ascertain that it is indeed a 0. This process is repeated until Bob is 
convinced that <x,a> e A, hence that x e X. Clearly, this gives Bob no information on a 
(except for its mere existence and Alice's knowledge of it) because the only possible out- 
come for the Boolean circuit is 0, provided Alice was not trying to cheat. Bob does not 
even learn the length of a because it had to be exactly p{\x\) by definition of RNP. □ 

The above protocol does not work directly for X e RNP in general, because it would not 
be zero-knowledge. Indeed, Bob would gain information on Alice's argument a from know- 
ledge of which random choices made the circuit accept <x,a> and which made it reject, or even 
merely from knowledge of the number of each of these occurrences. (Recall that if A e BPP 
but A S RP u co-RP, the probabilistic Boolean test circuit for A is expected to output sometimes 0 
and sometimes 1 on the same input ; the most frequent answer being correct with high probability.) 
Two ideas are needed to solve this difficulty: 

• Alice and Bob agree in advance on the number of runs they wish to carry through the test 
circuit (depending on the error probability they are willing to tolerate). At the end of each 
run, Alice no longer opens the outcome. After all the runs are completed, Alice guides 
Bob through the evaluation of a majority Boolean circuit, using the previously obtained 
encrypted outcomes as input It is only the resulting majority bit that Alice finally opens 
for Bob. 

• Even if Alice is honest, the above idea leaves the door open for Bob to cheat: it could be 
that the circuit outcome is not what she expected because Bob had deliberately chosen the 
"random" coin tosses to make this occurrence 50% likely. Assuming Alice's good faith, 
this could yield up to one bit of information to Bob about the argument a, which is 
intolerable. Alice would be almost certain that Bob cheated, but it would be too late by 
then. In order to prevent this possibility, it is essential that all coins be tossed so that nei- 
ther Alice nor Bob can influence the outcome, and such that Bob does not get to see the 
outcome (i.e. : coin tossing in a well). Fortunately, such a protocol is very simple : to toss 
a coin, Alice gives Bob a randomly chosen element of Z*[+l] and Bob tells her whether 
to multiply it or not by the standard y e QNRJ+1]. 
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Main Theorem (under QRA). Consider any X e RNP and some x e X for which Alice 
knows an argument a. Assume the proof that X e RNP is in the public domain 4 . Even 
though Alice may not have a definite proof that x e X, she convinced herself probabilisti- 
cally that <x,a> e A, hence x e X. It is possible for Alice to convince Bob in polynomial 
time that x e X and that she knows some argument for this without disclosing any addi- 
tional information. 

Proof (sketch). By the above discussion. □ 

Let us stress again that this protocol is interesting even when A e NP, hence X e NP (as in sec- 
tion 7 because PRIMES e NP), despite the reduction to SAT in these cases. This is so because Alice 
could know the argument a for x as a result of her choosing a in the first place (as trap-door informa- 
tion) and producing x from it. She might not, however, have an accepting computation for <x,a>, 
even though A e NP. She can nonetheless make use of our protocol. In other words, it does not 
require Alice to have more computing power than Bob or to have access to some NP-complete ora- 
cle. As long as she can convince herself with the help of her own trap-door, she can convince 
Bob as well without compromising the trap-door. 

9. OTHER EXAMPLES OF ZKIP's 

Our basic technique can be used in various situations. Let us briefly mention a few of them. 
It allows Alice to convince Bob of the quadratic residuosity of a member of Z^[+l] chosen by Bob 
without yielding additional information, in a way much simpler than those of [GMR, GHY]. It also 
allows Alice to convince Bob that an encrypted function is a permutation (see below). More gen- 
erally, all these building blocks can be used directly to obtain efficient ZKIP's for a variety of 
NP-complete problems such as Hamiltonian circuit, clique, knapsack, graph 3-colouring, etc. 

Quadratic Residuosity Protocol: Bob shows some z e 2^[+l] to Alice and she is willing 
to convince him of whether it is a quadratic residue or not Assume initially that z s QR n . 
Alice uses her knowledge of the factors of n to compute some x e such that 
z = x 2 mod n. Because z was chosen by Bob, it would be far from a ZKIP if Alice 
revealed x to Bob as proof (it could give Bob a 50% chance of factoring Alice's master 
secret n). Instead, Alice randomly generates some u e Z„ . She then computes and dis- 
closes w = u 2 mod n. At this point, Bob sends either challenge A or challenge B to Alice. 

• If Bob sent challenge A, Alice must disclose u so that Bob can check that 
w = u 2 mod n, hence that w is a quadratic residue. 

• If Bob sent challenge B, Alice must disclose ux mod n so that Bob can check that 
(ux) 2 = wz (mod n), hence that w has the same quadratic character as z. 

This process is repeated s times for some safety parameter s agreed upon between Alice 
and Bob. The protocol is very similar if z « QR„ but it requires that some standard 
y e QNR„[+1] has already been proven once and for all. Thus, the protocol of [GMR] must 
be used the very first time in order to make ours effective. □ 



i.e. : the predicate A and the BPP algorithm for A are already known to Bob. 
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A similar protocol is independently given in [Be] ; its essence was already in [CF]. Notice also 
that our protocol would not work for quadratic non-residuosity if n had more than two distinct prime 
factors, whereas the protocol of [GMR] could still be used. 

Finally, here is the permutation problem. Let m be some integer agreed upon between Alice and 
Bob. Let a be a permutation of {1, 2, ■ ■ • , m} randomly and secretly chosen by Alice. This permu- 
tation can be naturally represented by a table of mk bits, where k = ri°g2'"l- Alice discloses to Bob 
an encryption for each of these bits, so that it will not be possible for her to change her originally 
chosen permutation. At this point, Bob would like to be convinced that he was given the encryption 
of a permutation, not just of any function from {1, 2, ■ • • , m] to {1, 2, - ■ • , 2*}. No doubt the 
reader has seen our technique used enough times by now to design his/her own ZKIP. This problem 
has applications if one wishes to keep an electronic poker face [Cr], and its solution is central to the 
above mentioned efficient ZKIP's for Hamiltonian circuit, clique, knapsack, etc. 

10. OPEN PROBLEM 

Can Bob compute encryptions of arbitrary Boolean functions of encrypted Boolean inputs 
without the help of Alice ? For instance, given encryptions for the bits b l and b 2 , can he compute an 
encryption for (b 1 and b 2 ) ? If so, this might allow a dramatic improvement in our protocols, includ- 
ing the possibility of publishing ZKIP's (an idea originally investigated by Manuel Blum). 

ACKNOWLEDGEMENT 

We wish to thank Josh Benaloh, Joan Feigenbaum, Oded Goldreich, Shafi Goldwasser, Silvio 
Micali, Jean-Marc Robert, Steven Rudich and Moti Yung for fruitful discussions. 

REFERENCES 

[A] Adleman, L., "Reducibility, randomness and intractability", Proceedings of the 9th Annual 

ACM Symposium on the Theory of Computing, 1977, pp. 151-163. 
[Ba] Babai, L., "Trading group theory for randomness", Proceedings of the 17th Annual ACM 

Symposium on the Theory of Computing, 1985, pp. 421-429. 

[Be] Benaloh (Cohen), J. D., "Cryptographic capsules: a disjunctive primitive for interactive 
protocols", these CRYPTO 86 Proceedings, Springer- Verlag, 1987. 

[BC] Brassard, G. and C. Crepeau, "Non-transitive transfert of confidence: a perfect zero- 
knowledge interactive protocol for SAT and beyond", Proceedings of the 27th Annual 
IEEE Symposium on the Foundations of Computer Science, 1986, pp. 188-195. 

[Ch] Chaum, D., "Demonstrating that a public predicate can be satisfied without revealing any 
information about how", these CRYPTO 86 Proceedings, Springer- Verlag, 1987. 

[CF] Cohen (Benaloh), J. D. and M.J. Fisher, "A robust and verifiable cryptographically secure 
election scheme", Proceedings of the 26th Annual IEEE Symposium on the Foundations of 
Computer Science, 1985, pp. 372-382. 

[Cr] Crepeau, C, "A zero-knowledge Poker protocol that achieves confidentiality of the players' 
strategy, or How to achieve an electronic Poker face", these CRYPTO 86 Proceedings, 
Springer- Verlag, 1987. 

[GHY] Galil, Z., S. Haber and M. Yung, "A private interactive test of a Boolean predicate and 
minimum-knowledge public -key cryptosystems", Proceedings of the 26th Annual IEEE 
Symposium on the Foundations of Computer Science, 1985, pp. 360-371. 



233 



[G] Gill, J. "Computational complexity of probabilistic Turing machines", SIAM Journal on 
Computing, vol. 6, no. 4, 1977, pp. 675-695. 

[GMW] Goldreich, O., S. Micali and A. Wigderson, "Proofs that yield nothing but their validity 
and a methodology of cryptographic protocol design", Proceedings of the 27th Annual 
IEEE Symposium on the Foundations of Computer Science, 1986, pp. 174-187. 

[GK] Goldwasser, S. and J. Kilian, "Almost all primes can be quickly certified", Proceedings of 
the 18th Annual ACM Symposium on the Theory of Computing, 1986, pp. 316-329. 

[GM] Goldwasser, S. and S. Micali, "Probabilistic encryption", Journal of Computer and System 
Sciences, vol. 28, no. 2, 1984, pp. 270-299. 

[GMR] Goldwasser, S., S. Micali and C. Rackoff, "The knowledge complexity of interactive 
proof-systems", Proceedings of the 17th Annual ACM Symposium on the Theory of Com- 
paring, 1985, pp. 291-304. 

[Pe] Peralta, R., ' 'A simple and fast probabilistic algorithm for computing square roots modulo a 

prime number", IEEE Transactions on Information Theory, to appear. 
[Pr] Pratt, V., "Every prime has a succinct certificate", SIAM Journal on Computing, vol.4, 

1975, pp. 214-220. 

[R] Rabin, M. O., "Probabilistic algorithms", in Algorithms and Their Complexity: Recent 
Results and New Directions, J. F. Traub (editor), Academic Press, New York, New York, 

1976, pp. 21-39. 

[RSA] Rivest, R.L., A. Shamir and L. Adleman, "A method for obtaining digital signatures and 
public-key cryptosystems", Communications of the ACM, vol.21, no. 2, 1978, pp. 120-126. 

[SS] Solovay, R. and V. Strassen, "A fast Monte Carlo test for primality", SIAM Journal on 
Computing, vol.6, 1977, pp. 84-85. 



All-or -Nothing Disclosure of Secrets 



Gilles BRASSARD T and Claude CREPEAU* 

Departement d'informatique et de R.O. 
University de Montreal 
Montreal (Quebec) 
Canada H3C 3J7 

Jean-Marc ROBERT* 

Departement de G6nie Electrique 
Ecole Polytechnique de Montreal 

Montrdal (Quebec) 

Canada H3C 3A7 



1. INTRODUCTION 

Alice disposes of some number of secrets. She is willing to disclose one of them to Bob. 
Although she agrees to let him choose wich secret he wants, she is not willing to allow him to gain 
any information on more than one secret. On the other hand, Bob does not want Alice to know which 
secret he wishes. This is a useful building block in crypto-protocols. For instance, it can be used to 
easily implement a multi-party mental Poker protocol similar to that of [Crl], i.e. : safe against player 
coalitions. An all-or-nothing disclosure is one by which, as soon as Bob has gained any information 
whatsoever on one of Alice's secrets, he has wasted his chances to leam anything about the other 
secrets. In particular, it must be impossible for Bob to gain joint information on several secrets, such 
as their exclusive-or. Notice that this is crucial, because it is well-known in classical cryptography 
that the exclusive-or of two plaintext English messages allows easy recovery of them both, just as a 
running stream Vigenere would [D]. 

We assume that Alice is honest when she claims to be willing to disclose one secret to Bob 
(i.e. she is not about to send junk). The only cheating Alice is susceptible of trying is to figure out 
which secret is of interest to Bob. Although equally worthwhile, we do not address here the problem 
of verifiable secrets 1 , because it is too much application dependent However, the problem of 
verifiable secrets is addressed and solved in [Cr2] for its specific application to mental poker. 

Let us stress that the major novelty consists in letting Bob choose which secret he obtains. This 
is interesting whenever the secrets are not anonymous : although Bob does not know their contents, 
he knows their individual purpose 2 . Consider for instance the following situation: an international 
spy disposes of a large corpus of various state secrets. He sells them by the piece to whoever is 

t Supported in part by NSERC grant A4107. 

t Supported in part by an NSERC postgraduate scholarship; current address : MIT. 
* Current address : McGill University, Montreal. 

1. That is, preventing that Bob unknowingly obtains a falsified secret should Alice fail to cooperate 
honestly. 

2. In order to get a computationally secure scheme under cryptographic assumptions, it would otherwise 
suffice to use a variation on oblivious transfer (attributed to Oded Goldreich in PPT]) to allow "Alice to 
transfer to Bob exactly one out of two recognisable messages' ' so that neither has control over which mes- 
sage will be received. 
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willing to pay the price. In his catalogue, each secret is advertised with a tantalizing title, such as 
"where is Abu Nidal". He would not accept to give away two secrets for the price of one, or even 
partial information on more than one secret. On the other hand, you (the potential buyer) would not 
pay for a randomly chosen secret, but are reluctant to let him know which secret you wish to acquire, 
because his knowledge of your specific interests could be a valuable secret for him to sell to someone 
else (under the title : "who is looking for terrorists", for instance). Let us point out that this problem 
was addressed and solved more that 15 years ago by quantum physical means, when the number of 
secrets is at most three, in Wiesner's original Quantum Cryptography paper [W]. 

Under cryptographic assumptions, we provide in this paper a practical computationally secure 
solution. This solution is inspired by our work on zero-knowledge interactive protocols [BC1, BC2]. 
In a companion paper [BCR], we show how to efficiently reduce this general all-or-nothing disclosure 
of secrets problem to a much simpler problem known as the two-bit problem. The main interest of 
this reduction is that it is information theoretic and that it does not depend on unproved assumptions. 

We assume that the reader has some number theoretic background, being familiar with the nota- 
tion Z m , the notions of quadratic residues and Jacobi symbol, and the quadratic residuosity assump- 
tion (QRA) [GM]. We also assume the reader is familiar with the principle of zero-knowledge 
interactive proofs [GMR]. 

2. A SOLUTION BASED ON QUADRATIC RESIDUOSITY 

Let x x , x 2 , ■ ■ ■ , x n be Alice's r-bit secrets, and let by be Jt/s j' h bit for 1 < ( S n and 1 <j<t. 
Initially, Alice randomly selects two large distinct primes p and q together with a quadratic non- 
residue y modulo m = pq whose Jacobi symbol is +1. For each secret bit by, she selects a random 
e Z* and computes Zy = Xyy b: ' mod m. Notice that z-y is a quadratic residue if and only if by = 0. 
Finally, Alice gives Bob both m and y, together with all the z^'s, keeping p and q secret. According 
to QRA, this does not enable Bob to obtain in polynomial time any information on Alice's actual 
secrets. 

If Bob wanted to know bit by for some specific i and j, and if Alice were willing to cooperate, 
the following protocol comes to mind: Bob chooses a random reZ* and a random bit a, he com- 
putes the question q = z-yp-y* mod m and he asks Alice for the quadratic residuosity of q. Clearly, 
by = a if and only if q is a quadratic residue. On the other hand, regardless of i and j, q is a random 
element of Z* with Jacobi symbol +1 and thus Alice has no idea as to which of her secret bits she 
has just given away. One might naively be tempted to "solve" ANDOS by allowing Bob to ask / 
such questions, one for each bit of the secret he wants. There are three flaws with this idea : 

• Bob could ask for t bits taken from distinct secrets. 

• Bob could obtain in one question the exclusive-or of severals bits. For instance, he could 
ask the question q = ZyZ^r^y" mod m and thus learn by © b^. As pointed out in the intro- 
duction, this would most probably enable him to obtain two complete secrets by asking 
for their exclusive-or, assuming the actual secrets are in plaintext English. 

• More subdy, despite the previous claim, this would open the door for Alice to cheat as 
well! Indeed, she could lie from the beginning and give Bob a quadratic residue for her y. 
In this case, the questions asked by unsuspecting Bob would keep the same quadratic 
character as the corresponding z's, allowing Alice to figure out Bob's interests. 
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In order to solve these difficulties, it is imperative that both Alice and Bob convince the other of 
their good faith : Alice must show that the information she posted initially is genuine and Bob must 
convince Alice that his questions are honest This is where zero-knowledge interactive protocols 
come into play. The third flaw mentioned above is solved by Alice using zero-knowledge interactive 
protocols of [GHY] and [GMR] to convince Bob that m has only two prime factors and that y is a 
quadratic non-residue modulo m, respectively. In a context of verifiable secret, this is also where 
Alice would convince Bob that the secrets hidden by the Zy's respect whichever conditions befit the 
application (a specific example is given in [Cr2]). 

The first two flaws of the naive protocol above are harder to control. Although we have found 
several solutions, we only sketch here our favourite. Let O be a permutation of {1, 2, ... , n}. 
A c-packet P a consists of one question for each bit of each secret in the following way 
Pa = I 1 - * ^ n » 1 -j - *> such that each q kj = z y r^y atf mod m, where i = G~ l (k), r ig * s a ran " 
dom element of Z* and is a random bit. Moreover, a 0-packet is valid if Bob knows the 
corresponding a, r k j's and a^'s (notice that any collection of nt elements of Z* with Jacobi symbol 
+1 is a o-packet for every permutation o, and Alice cannot distinguish a valid packet from any other 
such collection; however, assuming QRA, it is computationally infeasible for Bob to turn a random 
collection into a valid packet). 

After the initialisation described previously, the ANDOS protocol proceeds as follows if x t is the 
secret of interest to Bob. 

• Bob randomly selects a permutation o together with appropriate r^'s and a^'s, and forms 
a valid o-packet P a . 

• Bob gives P a to Alice, keeping secret his random information, and convinces her that it is 
a valid packet (see below). 

• Bob sends k = a(i) to Alice as his actual request. 

• Alice gives Bob the quadratic character of each q k j in Bob's packet P a , for this specific k 
and each 1 < j < t. 

• Bob infers each of Alice's bits by for 15;St, hence he obtains x t as desired. 

• If Bob wishes to obtain another secret and if Alice is willing to give (or sell) it to him, it 
suffices to repeat the three previous steps with the relevant new value for i; there is no 
need for Bob to form another packet and convince Alice of its validity all over again 
(unless it is important for the application that Alice does not even know if Bob's new 
request is for a different secret). 

It is of course crucial that Alice be convinced that Bob's packet P a is valid, for he could other- 
wise stuff it with dishonest questions and we would be back to the beginning. It is equally crucial 
that Bob does not give Alice a clue as to which permutation O" he chose, for she might otherwise gain 
information on <3~ x {k), the secret of interest to Bob. This is achieved by an idea very similar to those 
leading to the perfect zero-knowledge interactive protocol of [BC2]. Let s be a safety parameter 
agreed upon between Alice and Bob. After randomly choosing s additional permutations 
Oj , c 2 , . . ., Oj of {1, 2, . . ., n}, nts new elements of Z* and nts new bits, Bob creates s additional 
oypackets P lt P 2 , ■ ■ ■, P s - He sends all these packets together with the original P„. At this point, 
Alice selects a random subset Xc {l, 2, . . ., s} and sends it to Bob as a challenge. In order to 
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convince her of the validity of P a , Bob must: 

• for each / e X, prove the validity of P t to Alice by disclosing a, and all the random ele- 
ments of Z m and random bits used in the creation of Pf, 

• for each / g X, prove to Alice that P a is valid if and only if P t is valid by disclosing aj 1 ^ 
and showing that he is capable of transforming the questions in P a into the corresponding 
questions in P t (we leave the details of this to the reader). 

At the end of this subprotocol, Alice will be convinced that P a is valid, with a 2~ s probability of 
beeing fooled by Bob. Indeed, the only way he could convince her of the validity of an invalid P a 
would be by producing valid packets for each / e X and invalid packets for each / t X. Since he must 
do so before being told X, the result follows from the fact that Alice has 2 s different choices for X. 

3. OUTLINE OF THE REDUCTIONS OF [BCR] 

In [BCR], we give information theoretic reductions among disclosure problems. More precisely, 
we show that it is exactly as hard to all-or-nothing disclose one r-bit secret among n than it is to dis- 
close one bit among two. This result is obtained by a chain of reductions that allows the collapse of 
an apparent hierarchy of disclosure problems. Here is a list of problems that turn out to be 
information-theoretically equivalent, that is even if either or both party(ies) had unlimited computing 
power, regardless of unproved assumptions. 

The two-bit problem (2BP) : Alice disposes of two secret bits and she is willing to disclose 
one of them to Bob, at his choosing. Bob must not be allowed to learn more than one bit 
of information on Alice's bits, but Alice will not be upset if Bob succeeds in gaining any 
(deterministic) one-bit function of these two bits, such as their exclusive-or. If Bob plays 
fair and obtains the physical bit of his choice, Alice does not know which of her two bits 
she disclosed. 

The all-or-nothing two-bit problem (AN2BP) : Alice disposes of two secret bits and she is 
willing to disclose one of them to Bob, at his choosing. Nothing Bob can do will give him 
more than one of these physical bits : as soon as he obtains any information on one of 
them, he looses all hopes to gain any information on the other. Alice does not know which 
of her two bits she disclosed. 

The all-or-nothing n-bit problem (ANNBP) : this is identical to the previous problem, 
except that Alice owns n secret bits rather than 2. She wishes to all-or-nothing disclose one 
of them to Bob, at Bob's choosing. 

The all-or-nothing disclosure of secrets (ANDOS) : described previously. 
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1. Introduction 

Many attempts have been previously made to achieve a protocol that would allow peo- 
ple to play mental poker [SRA, GMl, BF, FM, Yu, Cr] (I would rather say electronic 
poker). Unfortunatly no solution has ever come close to reality with respect to poker stra- 
tegy. Poker players usually claim that luck has nothing to do with their gains. In fact, 
poker is a very strategic game. Often, an inexperienced player will loose a lot of money 
when playing against an experienced player, only because the former cannot hide so easily 
his emotions. The experienced player can easily know whether his opponent has a good 
hand or not. 

Electronic poker is an ideal way of hiding one's emotions. But, in fact, every protocol 
proposed thus far ruins this perfect poker face since their security is based on the fact that 
all hands are revealed at the end of the game. This means that the strategy of the players 
is known to all his opponents. In particular, if one bluffs with a bad hand in the hope that 
all his opponents will give up, he still has to reveal his hand at the end, in order to partici- 
pate in the verification part of the protocol. Moreover, when a player opens his hand, he 
does not want his opponents to learn the moment at which each of his cards was drawn, 
since this would give them some information about his strategy. 

This paper proposes a new poker protocol that allows players to keep secret their stra- 
tegy. This protocol is an extension of the one given by Cre'peau in [CrJ. The security will 
not be based on the knowledge of the entire deck of card at the end of the game, but 
rather on some independent information linked to the entries of the deck. This protocol 
achieves every constraints of a real poker game. It is the first complete solution to the 
mental poker problem. It achieves all the necessary conditions suggested in [Cr]: 

• Uniqueness of cards 

• Uniform random distribution of cards 

• Absence of trusted third party 

• Cheating detection with a very high probability 

• Complete confidentiality of cards 

• Minimal effect of coalitions 

• Complete confidentiality of strategy 
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2. Review of the protocol in [Cr] 

Suppose that P V P 2 ,—,P^ want to play poker. Assume a correspondance between the 
standard deck of cards and the set DECK ={1,2, ...,52}. Each P,- will pick a permutation 7r,- 
of DECK and keep it secret. The shuffled deck will be tt N ■ ■ ■ tt 2 tt x , i-e- the functional 
composition of these permutations. 

To get a card, player P, picks a value k in DECK that nobody else has picked before, 
and gets his card by computing tt N ■ ■ ■ Tc 2 Tr x {k). Since the permutations are kept secret, 
he will have to use a special trick in order to get this value. To do so, he may use the 
Hiding-Revealing protocol proposed in [Cr]. This will allow P, to get the values 
7r i(^)i 7r 2 7r i(^) up to -k N • ■ • tt 2 tt x (k) from his opponents. If everybody was getting their 
cards this way, all would be fine. But somebody could cheat by computing 
W N ' ' ' 7r 2 7r i(^') f° r some k 1 ElDECK he does not own. This way, he may learn cards 
which are in the hand of another player or still in the deck. Obviously, we cannot tolerate 
that he gets cards that someone else has already picked. Unfortunately the protocol of [Cr] 
solves this problem by asking every player to disclose their tt,- at the end of the game, thus 
revealing every hands, including those of players that would not open their hands at the 
end of a "real" Poker game. 

How can P t - prove that he is getting a card nobody else has without revealing this card? 
This is the main question addressed (and solved) in this paper. 

3. A first idea 

To achieve this, we will first change the way by which we check that a player has been 
reading the entries he claims in his opponents' permutations. The main idea is to add some 
random information to each of the secret values in tt ^tt 2 ,..., tt N . This information will be 
randomly chosen bit strings which are long enough to be hard to guess. When a player 
reads an entry in the permutation of another player, he will have to read the additional bit 
string linked to it. These strings will later be publicly revealed by the players who wish to 
open their hands, and they all should match the initial strings if nobody is cheating. 

Let s be a security parameter to be chosen by the players. P i chooses 
Ti:DECK-*{0,iy. For keDECK, the string r,-(/fc) is called the trace of jt ,-(£). 

To increase the security of 7r,- we are going to link its trace r,- to it. By linking we 
mean that the value of r^k) will have to be read by player P- whenever he wants the 
value 7T,(fc) secretly. For this, we use the protocol for the all-or-nothing disclosure of secrets, 
suggested in [BCR], with the 52 secrets 

<7T,(l),r,.(l)>, <7r,(2),r,(2)>, ■ • • , <n ,(52) ,r ,(52) > 
instead of simply using the Hiding-Revealing protocol as before [Cr]. 

Whenever Py reads one of the tt ,■(£), he will get the corresponding r,(£) and he can- 
not get r,(fc') instead. The interest is that if P- wants some 7r , ( A/ ) instead of his legitimate 
tt ,(£), he will also have to get r^k 1 ) instead of r,-(A). Later in the game he will not be 
able to convince his opponents that he has read tt ,( A: ) since he do not know r,(fc) and can 
guess it only with a very small probability. 
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4. All-or-nothing disclosure of secrets (ANDOS) 

Let us first see how such a protocol works. Suppose that Alice has a set of t secrets 
{*iiS2> ' ' ' > s t}> that she wishes to disclose one of them to Bob. Bob does not want 
Alice to know which secret he takes from the t she has offered him. Alice will choose a 
secret key for probabilistic encryption, that is two large primes p and q. She will give to 
Bob the product of them (n) and a quadratic non-residue (y) with Jacobi symbol + 1. Let 
bfj be the j" 1 bit of the secret s,. Assume that all the secrets are L bits long. Alice sends 
to Bob an encrypted version of her secrets. For this, she sends 6,- y, a random quadratic 
residue mod n when 6 t - y is 0 and a random non-residue otherwise. 



ANDOS PROTOCOL (Encryption of Secrets) 
Alice: 

STEP 1 chooses p and g , two large primes and computes n=pq . 

STEP 2 posts n and y, a quadratic non-residue such that (y /n) = +l. 

STEP 3 chooses Z n * at random for 1 <»'<f,l<j'<L . 

STEP 4 posts b i j=R?jy l ' ,,! mod n, a probabilistic encryption of her secrets. 



Now, Bob will build some "questions" about the secrets. To get a secret, Bob will have 
to ask a question to Alice for each bit of that secret. Typically, a question Q,- y to get bit 
bjj looks like 6,yXr 2 j/ m for some randomly selected r£Z* and mG{0,l}. If Bob asks 
Alice to decide whether Q i y is a residue or not, he will be able to compute the value of 6,- y 
since he knows the quadratic relation between Q,- y and 6,- y. Also, Alice will not have any 
idea about the bit Bob has been reading since all possible Q { y's in % „*[+l] have equal pro- 
bability, independently of what 6,- y is. 

When Bob wants a secret, he just asks enough questions to Alice to determine each bit 
of her secret. But how does Alice know that Bob is not cheating by reading bits in many 
secrets? He could very well read the first half of some secret together with the second half 
of another secret. 

In order to avoid this, Bob will have to convince Alice that he possesses a set of t fair 
groups of L questions. A group of questions is fair only if all its questions apply to the 
same secret. Bob proves to Alice that his groups of questions Q { are fair in the way sug- 
gested in [BCR]. With this protocol, Bob can convince her that his groups of questions are 
fair and the probability of achieving such a proof when they are not fair is 2~" . 



ANDOS PROTOCOL (Preparation of Questions) 
Bob: 

STEP 1 chooses p a permutation of {1,2, ...,<}. 

STEP 2 chooses r,-_yeZ * and m,- y€ {0,1} at random for l<i<t,\<j<L . 
STEP 3 poste Qij=b pii]ij r? ij y nii ". 

STEP 4 proves that his groups of questions are fair (see [BCR] for details). 
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Whenever Bob -wants to get a secret from Alice, he just tells her which group interests 
him, and she will decide the quadratic character of each question in it. To convince Bob of 
her fairness, she also sends him a proof of the quadratic residuosity of each question: a 
square root of Q when Q is a quadratic residue and a square root of Qy when Q is a qua- 
dratic non-residue. From this, Bob will be able to compute the value of the secret he 
wishes, and Alice will be convinced that he is not getting information on more than one 
secret, but she will not know which secret she gave away. 



AND OS PROTOCOL (Get a Secret) 


Bob: 




STEP 1 chooses ig{l,2,...,«} at his will. 


STEP 2 sends p~ to Alice. 


STEP 3 FOR 1<]<L 


Alice: 




STEP 3.1 


(0 if Q D -if,\ ,■ is a quadratic residue 
sets p • =< p '• i' 1 

U otherwise. 


STEP 3.2 
STEP 3.3 


finds rj such that ry 2 = jV^' {mod n). 
sends /?y and tj to Bob. 


Bob: 




STEP 3.4 


computes b i:j =j3j® m p - 



5. Some basic difficulties 

Since the final solution is still based on the use of permutations, we first consider the 
problem of proving to the other players that the encrypted string produced by a player is 
indeed a permutation of {1,2, ...,52}. The problem arises from the fact that these permuta- 
tions must remain secret even after the end of the game. Since they are never opened, 
they could in fact not be permutations at all. 

One might cheat this way, for instance, by pulling out some cards from the deck and 
replacing them by copies of some other cards. If he does not get caught, he may learn use- 
ful information, for instance he may know that no ace of spade exists. 

Suppose that P i wants to use a permutation it ,- in the protocol. He would like to con- 
vince his opponents that, indeed, ir ,- is a permutation of {1,2, ...,52}. For this he can use a 
general purpose protocol proving that two encrypted permutations contain the same set of 
elements. So, we therefore consider first the implementation of this general protocol. 

Let X={xy,X2, ■ ■ ■ ,x t } be a set known to Bob. Let a and a' be two permutations of 
the elements of X. Consider ar t - as a bit string of length L, where £ =max{|x,- 1:1<»<<}. 
Define 6 t - j to be the j" 1 bit of Xj. Let {n=pq,y) be Bob's probabilistic encryption public 

keys. Finally, let 6, ■ j be a probabilistic encryption of ^(f),/ and b-j be a probabilistic 
encryption of b a ^^j. 
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PERMUTATION EQUALITY PROTOCOL (Preparation) 

Bob: 

STEP 1 chooses ry.r-jgZ,' at random for l<i.<t,l<j<L . 

STEP 2 posts ■=r? j y b ' { ' ) '' mod n and b- j =r^y 1 '^' mod n, 
some probabilistic encryptions of his permutations. 



Bob can then prove in zero-knowledge to Alice that for all i their exists i' such that for 

all j b i j and 6,-i j encrypt the same bit, using the following protocol, (thus proving that the 

6,- ; 's and the bi/s encrypt permutations of the same set). Let s be a security parameter 
agreed between Bob and Alice. 



PERMUTATION EQUALITY PROTOCOL 
STEP 1 FORKKs 

STEP 1.1 Bob chooses p, a random permutations of {l,2,...,i}. 
STEP 1.2 Bob chooses c,-,/€Z * at random for l<i<t,l<j<L 
STEP 1.3 Bob posts b iij =c? j y b >^' mod n. 
STEP 1.4 Alice chooses a bit c at random and tells it to Bob 
STEP 1.5 IF c=0 Bob reveals r CT -i (l) j.W) .i for l ^ i ^ t > 1 '^^- L ' 
STEP 1.6 IF c = l Bob reveals r' ^i, , c„- vn ,• for l<i<t,l<j'<L . 



For further details on the construction of this protocol, see [BC]. Bob will be able to 
prove to Alice that and 6/ are encoded permutations of the same set, when in fact it is 
not, with probability 2" * . 

In our case, P,- simply uses o = n i and a'— I, where / is the identity permutation. 

Once the protocol is completed, P,- decrypts the 6,'y's and prove that they constitute an 
encryption of /(by decrypting we mean that he reveals the random seed used to encrypt 
that information) . The preparation part of the protocol may be performed only once, 
while the second part of the protocol should be performed with each opponent separetly. 
Of course, each player P i uses his personal values n t - and y,- in place of n and y in the pre- 
vious protocol. 

But in order for this protocol to work, n,- must be of the adequate form ( with only 
two prime factors ). In fact, the protocol works whenever n^p"?/ with both p,- and 
dinstinct primes and a and b not both even. In order to prove that n t - is of the correct 
form, P ( may use the protocol given in [GHY]. By repeating this protocol, P, can convince 
each of his opponents that n,- is of the good form. Also, to prove that jr,- is a quadratic 
non-residue modulo n,- he can use the protocol given in [GMR]. 

Notice that all the protocols suggested so far are zero-knowledge (under the assump- 
tion that deciding quadratic residuosity is hard). This makes the following preparation pro- 
tocol zero-knowledge. Initially, each player P, uses PREPARATION(i) as suggested below: 
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PREPARATION^ i) 

Pi' 

STEP 1 chooses jt ,-, a permutation of DECK. 

STEP 2 chooses T,:Z)£CAr->-{0,l}" at random. 

STEP 3 chooses p,-, g,- and posts ",■=?,?,• and jj,-. 

STEP 4 proves that n,- and y ( - are in the correct form. 

STEP 5 reveals probabilistic encryptions of tt ,• and r ,• 

STEP 8 uses AND OS PROTOCOL (Preparation of Questions) with 

eachP, for the secrete <7r,(l),r,(l)>, <7r,-(52),r,(52)>. 
STEP 7 P, proves that tt , is indeed a permutation of DECK, 

using PERMUTATION EQUALITY PROTOCOL. 



6. Getting cards 

Initially, each number k in DECK is marked "free". To get a new card, player P, picks 
a "free" value k and mark it "used". We say that k is the identifier of the card. Then, P, 
asks publicly his opponents for the values of n^k), ^2 7T ii^) U P to n i-i ' ' ' They 
will prove their claims by decrypting the corresponding entries of their coded permutations. 
Then P, gets tt ,-tt ,-_ 1 - ■ - tt by looking at his own permutation. Finally he gets the 
values ■k i+1 • ■ ■ tt j( fc ) up to tt n ■ ■ ■ tt by using the secret questions he has proven 
correct to P,+i, P;+2> — > -Pjy When he does this, he also gets the corresponding strings 
r t+1 7T,- • ■ ■ JT^Jfc) up to t n k n _ x ■ ■ ■ TTi[k). These strings will allow him to prove later 
that he was honest when reading in ir i+1 , tt 1+2 , — » f n- 



GET A CARD(i) 



STEP 1 P, picks a free value in DECK; marks it used. 

STEP 2 sets c = fc 

STEP 3 FOR p — 1 TO i- 1 

STEP 3.1 P, gets tt p ( c ) from P p (publicly) 

STEP 3.2 sets c = 7r p (c) 

STEP 4* P,- adds if ,(c) to ff t - 

STEP 5 P, sets c=7r,(c) 

STEP 6 FOR p = 1 TO i- 1 

STEP 6.1 P p shows that he has never used his group of 
questions that could read tt ,•( c ) . 

STEP 7 FOR p = t+1 TO JV 

STEP 7.1 P, gets <7T,(c),r,(e)> 

using the AND OS PROTOCOL (Get a Secret) 

STEP 7.2 sets c = 7r p (c) 

STEP 8 CARD = c 



t The meaning of this step will become clear in the next section. 
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This protocol tolerate that a player reads a card which does not belong to him but only 
if this card does not belong to someone else, because this does not change the distribution 
of probability of the hands of the players. Getting any "free" card is equivalent. The only 
trouble in this case is that the lucky cheater (lucky because he -won't get caught) will not be 
able to use this card since he cannot prove he read it honestly. 

7. Opening and Closing of hands. 



We have not yet discussed the way by which the players will open a card or declare it 
closed for the rest of the game (discarded). One might think that claiming "I discard k" for 
some identifier k that I own, should be sufficient to discard a card. In the same way, 
maybe, it would be fine to open a card to reveal rr i n i _ l ■ ■ ■ *i{k), ff,- +1 Jr,- ■ - ■ ir/.i), 



if\(k) (since n^k), -k ^ \{k) 



i- I 77 i- 2 



tt 1 (A) are already known 



publicly) . 

But this way, some strategic information will be acquired by the players about their 
opponents. Suppose that my hand includes the cards of figure 1 (below). Then I may dis- 
card the first 2 cards and draw 2 new ones. Suppose I then get into the situation of figure 
2. 



A 



0 



A A 
* V 




figure 1 



figure 2 



If I open up my hand according to the above described- protocol, my opponents would 
know which of my cards are the new ones. This way, they may learn information about my 
strategy. 

Let Kj denote the set of values of DECK owned by P,- in his own permutation n ,-. To 
solve the above mentionned problem, the players will carry an encrypted permuted version 
of their Kj for the entire game. Note that this information is sufficient to determine his 
hand. Define Z), C Kj as the subset of values in Kj which are leading to a discarded card. 
Clearly, Hj=Kj- Dj is the subset of Kj with elements leading to a card of P,'s hand. 

Initially, Hj and D i are empty. Whenever P,- gets a card with identifier k, he places 
the encryption of into Hj, an encrypted version of Hj. Before opening or 

discarding a card, he will confuse his opponents about the origin of the cards in Hj by gen- 
erating a new encrypted permutation of the elements in Hj and prove it so with the PER- 
MUTATION EQUALITY PROTOCOL. He will then use this new Hj to make his 
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operation. The point is that his opponents are convinced that H t still includes the same 
elements, but they no longer know in which order. Moreover they know that D,- has not 
changed. 

If P,- wants to discard a card from his hand, he transfers the corresponding element of 
H { into D{. 



DISCARD(i,k) 

STEP 1 P,- generates a new permuted version of and 

uses PERMUTATION EQUALITY PROTOCOL 
to prove that //, has not changed. 

STEP 2 P, places the entry of H { corresponding to jr ,-7T ,-_ l w x ( k) into £>,. 



On the other hand, if he wants to open it, he just decrypts the corresponding entry of 
H{ and uses it to follow the corresponding values in 7r ,-, jr,- +1 , n N in order to get to his 
card, (remember that the values in AT, are of the form Jr,-T,-_i...f )■ 



OPEN A CARD(i,k) 

STEP 1 Pi generates a new permuted version of H; and 

uses PERMUTATION EQUALITY PROTOCOL 
to prove that if,- has not changed. 

STEP 2 set c=7r,-ir ,-_ x • • • tr i{k) 

STEP 3 P, reveals c 

STEP 4 Pi decrypts the entry of Hi corresponding to c . 

STEP 5 FOR p = i+ 1 TO N 

STEP 5.1 Pi reveals n p (c) and r p (c) 

STEP 5.2 P p decrypts n p (c) and f p (c). 

STEP 5.3 setc = 7r p (c) 



8. General protocol 

Finally, here is how all these ideas fit together in order to accomplish a fair, purely 
secure, game of electronic poker: 

POKER PROTOCOL 

STEP 1 each player P, uses PREPARATION^ i) 

STEP 2 REPEAT UNTIL the end of the game 

STEP 2.1 each P, gets his cards using GET A CARD(t) 

According to the rules and to their strategic decisions, the players: 

STEP 2.2 bet, discard and open some cards 

using DISCARD and OPEN A CARD. 
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0. In conclusion 

We have achieved the first complete solution to the mental poker problem. Our solu- 
tion cumulates all the conveniences of a real poker game and the elimination of the unfor- 
tunate human factor ( from a strategic point of view ). In order to solve even more prob- 
lems of card playing or similar games (such as Scrabble), with special operations such as 
returning cards into the deck, the full power of Boolean circuit simulation suggested in 
[BC] can be used. But unfortunately, the resulting protocol is too messy to be explained 
here. 
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Secret Sharing Homomorphisms: 
Keeping Shares of a Secret Secret 
(Extended Abstract) 

Josh Cohen Benaloh* 



Abstract 

In 1979, Blackley and Shamir independently proposed schemes by which a secret 
can be divided into many shares which can be distributed to mutually suspicious agents. 
This paper describes a homomorphism property attained by these and several other 
secret sharing schemes which allows multiple secrets to be combined by direct compu- 
tation on shares. This property reduces the need for trust among agents and allows 
secret sharing to be applied to many new problems. One application described here 
gives a method of verifiable secret sharing which is much simpler and more efficient 
than previous schemes. A second application is described which gives a fault-tolerant 
method of holding verifiable secret-ballot elections. 

1 Introduction 

Suppose that Alice holds a secret A and distributes shares of her secret to n agents, 
using Shamir's secret sharing (threshold) scheme ([Sha79]), such that any k agents 
can construct A. Suppose further that Bob holds a secret B and distributes shares 
of B to the same n agents in the same way as Alice. Finally suppose that k of 
the agents decide that they want to determine A + B while revealing as little 
information about A and B as possible. (Of course, revealing A + B yields some 
partial information about A and B.) How can this be done? 

It is not hard to see that if each of the k agents releases the sum of the two 
shares it holds, each of these sums is itself a share of the sum of the secrets A + B. 
In short, the sum of the shares of the secrets are shares of the sum of the secrets. 
It is also the case that release of these share sums gives no information about A 
and B other than that contained in the release of their sum A + B. 

In general, suppose each of m parties holds a "sub-secret", and there exists 
a "super-secret" which is the composition of the sub-secrets under some known 
function (such as the sum or the product of the sub-secrets). The parties want 

'This work was supported in part by the National Security Agency under Grant MDA904-84-H-0004. 
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to determine the super-secret without revealing their sub-secrets and without de- 
pending upon cryptographic assumptions. 

Cryptographic techniques for computing with encrypted data have been studied 
in [RAD 78], [DLM82], [Yao82], [BlMe85], and [Fei85], for example. This approach 
to the problem, however, depends heavily upon cryptographic assumptions such as 
the difficulty of factoring. In this paper, we shall consider an alternate approach 
to such problems in which no cryptography or cryptographic assumptions are 
required (although the data used may be encrypted for other reasons). 

With an appropriate secret sharing homomorphism, shares of the sub-secrets 
can be distributed to n agents such that any k can determine each of the sub- 
secrets. Each agent can then compose its "sub-shares" into a single "super-share" 
such that any k of the super-shares are sufficient to determine the super-secret. 

The advantage of such a homomorphism is that k of the n agents can, by reveal- 
ing their super-shares, determine the super-secret without sharing any information 
about the constituent sub-secrets. Information about the sub-secrets can only be 
obtained if k or more agents agree to merge their sub-shares to reconstruct the 
sub-secrets. 

At this point, we assume that there are no attempts at subversion. The infor- 
mation is assumed to be correct, and the only concern is that some of the agents 
may surreptitiously collaborate in order to obtain secret information. In section 4, 
we shall see examples of how interactive proofs and cryptographic methods can be 
used to verify both the validity of the shares given to the agents and the accuracy 
of the composite results returned by the agents. 

Two applications of this homomorphism will be seen. 

The first allows the validity of secret shares to be verified without their being 
revealed. Here, a shareholding agent can obtain very high confidence that it holds 
a valid share of the secret rather than a useless random number. A share is valid 
if it, when combined with any other k — 1 shares, yields the same secret as does 
any subset of k of the shares. 

The second application is in the domain of elections. Here a voter can distribute 
shares of his or her vote to n agents. Each agent can then compose its vote-shares 
to form a share of the election tally. If k or more of the agents reveal their 
composite tally-shares, then the election tally is publically revealed. A conspiracy 
of at least k dishonest agents is required, however, in order to obtain information 
about an individual vote. 

2 The Homomorphism Property 

Shamir in [Sha79] defines a (k, n) threshold scheme to be a division of a secret D 
into n pieces Di, . . . , D n in such a way that: 

(1) knowledge of any k or more D, pieces makes D easily computable; 
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(2) knowledge of any k — 1 or fewer A pieces leaves D completely undetermined 
(in the sense that all its possible values are equally likely). 

Let S be the domain of possible secrets, and let T be the domain of legal 
shares. Every instance of a (k, n) threshold scheme determines a set of functions 
Fr-T k -> 5 defined for each I C {1, 2, . . . ,n} with \I\ = k. These functions define 
the value of the secret D given any set of k values D{ 1 , . . . , D :jfc : 

D = F I {D il ,...,D ik ), 

where I — {ii,...,i k }. 

Definition Let © and <g> be binary functions on elements of the secret domain 
S and of the share domain T, respectively. We say that a (k, n) threshold scheme 
has the {®,®)-homomorphism property (or is (©, <2))-homomorphic) if for all I, 
whenever 

D = F I (D il ,...,D ik ) 

and 

D' = Fj(D' ti ,...,D' tk ), 

then 

D © D' = F/(A X ® ^ D ih ® D' lk ). 

This property implies that the composition of the shares are shares of the 
composition. 

It is easy to see that Shamir's polynomial based secret sharing scheme is (+, +)- 
homomorphic, but it is not quite so apparent that Shamir's scheme satisfies another 
property which is also necessary to capture the intuition described earlier. We want 
it to also be the case that up to k — 1 sets of sub-shares together with all of the 
super-shares (and therefore the super-secret) give no more information about the 
sub-secrets than does the super-secret alone. 

Shamir's definition of a (k,n) threshold scheme does not allow for such partial 
information, but Kothari in [Kot84] generalizes Shamir's definition slightly to allow 
for the possibility of a priori information about a secret. Kothari's definition can 
be summerized by replacing condition (2) above with 

(2') Prob(D = x) = Prob(£> = x \ D ix = x^D^ = z, 2 , . . . , D ik _, = a:,-^) for an 
arbitrary set of k — 1 indices {ii,it, . ■ ■ ,ik-i} f° r all x G 5 and all z,- € T. 

This says that even with partial a priori information about the secret D, pos- 
session of up to k — 1 shares of D gives no additional information about the value 
of D. 

It is now possible to give a formal definition to capture the intuition that no 
extraneous information is released by a secret sharing homomorphism. 



254 



Definition We define a (©, ®)-composite (k,n) threshold scheme to be a division 
of a set of m sub-secrets d\ t . . . , d m into sub-shares dij, 1 < i < n, 1 < j < m (dij 
is the i th share of the j th sub-secret dj) such that 

(1) The super-secret D = d\ © d<i © • • • © d m is easily computable given fc or more 
distinct super-shares D{ — di^ ® d,,2 ® • • • ® c£ t -, m ; 

(2) For all possible values X € 5 of the super-secret .D and for every possible 
value Xj of each sub-secret dj (1 < j < M), 

Prob{d } = x } | D = X) = 

Prob(^ = Xj \ D = X;Vi€ I, D { = X,-; W € Vj G J, <Uj = a:,-,/) 

where 7 = {1,2, ... ,n}, J = {1,2, ... ,m}, and /' is an arbitrary subset of 
size up to A; — 1 of {1,2, ... ,n} and for all possible values X,- £ T of the 
super-shares and for every possible value z,j G T of the sub-shares. 

Intuitively, the first property says that any k of the n agents can together 
determine the super-secret D. The second property asserts that no conspiracy of 
fewer than k agents can gain any information at all about any of the sub-secrets 
dj (other than that already given by the super-secret D) even when given all of 
the super-shares Z),-. 

The following theorem is somewhat surprising, 

Theorem 1 If the secret domain S and the share domain T are finite and of__ 
the same cardinality, then every (®,®)-homomorphic (k,n) threshold scheme is a 
(®,<8>)- composite (k,n) threshold scheme. 

Proof: (sketch) 

The definition of (©, <g>)-homomorphism implies condition (1) immediately. 
To prove condition (2), it is simpler to consider only the case when m = 2 (two 
sub-secrets). The case for arbitrary m follows straightforwardly. 
Consider a table of the form 



s 


Sl 


S2 • 


• s n 


A 




a? ■ 




B 


bi 


b 2 ■ 


■ b n 



where S = A © B and for all i, s, = a{ ® bi. S is the secret defined by the 
shares Si,...,s„, A is the secret defined by the shares ai,...,a„, and B is the 
secret defined by the shares 6 X , . . . , b n , 

Assume that a set of up to k — 1 conspirators are willing to share some of their 
information in order to try to gain information about A and B. Without loss of 
generality, assume that these conspirators are among the first k — 1 shareholders. 

By the definition of a (k,n) threshold scheme, A and B remain completely 
undetermined even if fc — 1 shares are known. Therefore, we may assume that 
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all of oi, a%, . . . , a.k-i and 61, 62, . . . , are known to the conspirators. With this 
information, the conspirators are able to compute s\, S2, . . . , s^-i without assis- 
tance. It is already assumed that the "super-secret" S is known. Therefore, since 
|5| = \T\ < 00, the "super-shares" Sk, Sfc +1 , . . . , s n are completely determined and 
can be computed by the conspirators. Thus, their release to the conspirators gives 
them no additional information. I 

Remark The condition that the secret domain S and the share domain T are 
of the same finite cardinality was not strictly required, and the following weaker 
property will suffice. For a given super-share Dk and sub-secrets di^jd^d^, such 
that di © di — D — d^Qd^, let p be the conditional probability that Dk = di^®^,* 
for some d^ and d<i^ which imply sub-secrets di and d 2 , respectively, and let p' 
be the conditional probability that Dk — d' l k ® ^2,Jt f° r some d' llc and d' 2 jfc which 
imply sub-secrets d'± and d' 2 , respectively. If p = p' for all such di, c£ 2 , d\, d' 2 , and 
Dk, then the conclusion of the theorem is true. 

For simplicity of exposition (and to keep the notation under control), this gen- 
eralization has not been incorporated into the theorem. Its inclusion is straight- 
foward, but cumbersome, and appears to offer no additional insights. 

3 Some Examples 

It is easy to see that the properties of polynomials give Shamir's (k, n) thresh- 
old scheme the (+, +)-homomorphism property, and since the secret domain and 
the share domain consist of the same finite set (namely the integers modulo p), 
Shamir's scheme is a (+, +)-composite (k,n) threshold scheme and enjoys all of 
the properties thereof. 

Some other techniques can also be easily seen to produce (+, +)-composite [k, n) 
threshold schemes. See [Bla79], [AsB180], and [Kot84] for some further examples. 

What if the super-secret is not the sum of the sub-secrets? Shamir's scheme is 
not (x, x)-composite. This is because the product of two non-constant polynomi- 
als is of higher degree than the factors. 

By using a homomorphism between addition and discrete logarithms, for ex- 
ample, it is possible to transform Shamir's scheme into a (x , +)-composite (k,n) 
threshold scheme. Thus, if the desired super-secret is the product of the sub- 
secrets, Shamir's scheme can still be used. This method can be summarized by 
the following adage. The sum of the shares of the discrete logs of the secrets are 
shares of the discrete log of the product of the secrets. 

In general, discrete logarithms may be difficult to compute. However, if p is 
small or of one of a variety of special forms, the problem is tractable (see [PoHe78], 
[Adl79], [COS86]). It should be emphasized that such special cases for p do not in 
any way weaken the security of our schemes. The security is not cryptographic, 
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but rather is information theoretic. Therefore, there need be no assumptions about 
the difficulty of solving any special problems. 

4 Applications 

The applications described here rely on the encryption of shares both to fascil- 
itate their distribution and allow for a mechanism which ensures that certrain 
properties of the shares are attained. Since the encryptions of shares are made 
public, the security is no longer information theoretic, but rather depends upon a 
cryptographic assumption. 

The encryption function used here was introduced in [CoFi85] and draws upon 
the ideas of probabilistic encryption found in [GoMi84]. The function is also 
described in [BeYu86j. 

Before beginning, a prime number r is fixed such that r > \S\ — the size of 
the secret domain. To develop an encryption function E, one selects primes p 
and q such that r\(p — 1) and rj((q — 1). Let N be the product N — pq. The 
developer releases the pair (N,y) where y is relatively prime to N and y is not an 
r th residue modulo N. 1 It is necessary in most applications for the developer of 
such an encryption function to convince others that y is, in fact, not an r th residue 
modulo N. This may be accomplished by interactive proof techniques described 
in [CoFi85] and [BeYu86]. 

To use E to encrypt a value s, one randomly selects an x and forms E{s,x,y, N) = 
y s x r mod iV. The holder of the trapdoor factors of N can easily determine s from 
E{s,x,y,N). However, there is no known efficient method for determining s from 
its encryption when the factors of N are not known. 

4.1 Verifiable Secret Sharing 

The first application gives a simple and efficient method for verifiable secret shar- 
ing. This problem was first described in [CGMA85] and the application of secret 
sharing homomorphisms to this problem was developed as a result of an observa- 
tion made by Oded Goldreich. 

Definition We say that a set of n shares si, S2, ■ ■ ■ , s n is k-consistent if every 
subset of k of the n shares defines the same secret. 

The problem of verifiable secret sharing is to convince shareholders that their 
sh ares (collectively) are ^-consistent. 

It is easy to see that in Shamir's scheme, the shares s L , s 2 , . . . , s„ are fc-consistent 
if and only if the interpolation of the points (1, §i), (2, s 2 ), • • • , («, s n ) yields a poly- 

'i/ is an r th residue modulo .V if and only if there exists an x such that y = x r (mod N). 
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nomial of degree at most d = k — 1. It is also useful to observe that if the sum of 
two polynomials is of degree at most d, then either both are of degree at most d 
or both are of degree greater than d. 

This suggests the following outline of an interactive proof that a polynomial 
P, given by its (encrypted) values at n distinct points, is of degree at most d (see 
[FMR84] and [GMR85] for a description of interactive proofs and applications). 

1. Encryptions of the values of the points that describe P are released by the 
prover. 

2. Encryptions of many (say 100) additional random polynomials again of degree 
at most d are also released by the prover. 

3. A random subset of the random polynomials is designated by the verifier(s). 

4. The polynomials in the chosen subset are decrypted by the prover. They 
must all be of degree at most d. 

5. Each remaining random polynomial is added to P. (Note that pointwise 
addition gives the same polynomial as the coefficientwise addition.) Each of 
these sum polynomials is decrypted by the prover. They must also all be of 
degree at most d. 

The encryption of the values of each point must be probabilistic (to prevent 
guessing of values) and satisfy a homomorphism property (so that an encryption 
of the sum of two values can be developed directly from the encryptions of the 
two values). These properties are satisfied by the encryption function E described 
above. 

In more detail, a secret s is divided into n shares Si,S2, . ■ • ,s„ such that the 
polynomial P interpolated through the points (i, s,) has degree at most k — 1 
and passes through the point (0, s). (So far, this is precisely Shamir's scheme). 
Each (future) shareholder selects and makes public an (Ni,yi) pair to develop 
an encryption function E{ as above. The t th share, s,-, is transmitted to the i th 
shareholder by selecting a random £; and releasing £,(s,-, i,-, j/,-, JV,-) = y,-' x\ mod JV,-. 

To prove interactively that the (encrypted) points released describe a polyno- 
mial with degree no more than d, prepare (say) 100 more random polynomials, 
each of degree at most d, in exactly the same way. The values of these random 
polynomials at 0 (the secrets they describe) are also selected randomly. 

The verifiers randomly select a subset A of these random polynomials. Each 
polynomial in A is opened by revealing the corresponding s,- and z,-. For each 
polynomial P' not in A, the (pointwise) sum P + P' is opened by releasing s, + 
s- mod r and Xi ■ x\ ■ yl( , '" +s !-)/ r J where the t' th point of P 1 is given by Ei(s' { , x' { , y,-, JV,-). 
All points released should describe polynomials of degree at most d. 

It is not hard to see that a set of random polynomials of degree at most d 
together with a set of sums of P and other random polynomials of degree at most 
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d gives no useful information about P (other than that its degree is bounded by 
d). 

4.2 Secret-Ballot Elections 

The motivating application for this work is in the domain of cryptographic elec- 
tions. In [CoFi85], an election scheme is presented which allows a government to 
hold an election in which the legitimacy of the votes and the tally is verified by 
means of interactive proofs. 

Although, there is high confidence in the correctness of the tally in such an 
election, the government is a "trusted authority" with the ability to see every vote 
and thereby compromise every voter's privacy. 

In [BeYu86], the government is replaced by a set of "tellers" such that it is 
necessary for all tellers to conspire in order to compromise a voter's privacy. In 
that scheme, however, if even one of the tellers fails to complete its protocol 
properly, the entire election fails and no tally is produced. 

The basic election scheme described in these papers can, however, be embed- 
ded within a (+, +)-composite (k,n) threshold scheme (in particular, in Shamir's 
scheme) as suggested by the outline below. This extension is also described in 
[Coh86]. 

Instead of a single government, n sub-governments (or tellers) each hold a sub- 
election. Each voter chooses either 0 or 1 as a secret value (0 indicating a no vote, 
1 indicating a yes vote) and distributes one share of the secret vote to each of the 
n tellers. The tally of the election will be the sum of the voters' secrets. 

After votes are cast, each teller simply adds the vote-shares it has received 
using the (single government) verifiable election scheme of [CoFi85]. Since the 
(k,n) threshold scheme has the (+, +)-homomorphism property, this sum of vote- 
shares is itself a share of the sum (tally) of the votes. Thus, once k or more tellers 
release their sub-tallies, the overall election tally can be determined. Furthermore, 
since the secret domain and the share domain consist of the same finite set, the 
conditions of Theorem 1 are satisfied, and k or more conspiring tellers are required 
to determine any individual voter's secret vote. 

The interactive proof techniques used in section 4.1 can be generalized slightly 
to allow verification of the vote-shares. Here, each voter participates in an inter- 
active proof to demonstrate to all participants that the vote-shares it distributes 
are legitimate in the sense that every set of k vote-shares derives the same secret 
vote and that this vote is either a 0 or a 1. 

Thus, as long as at least k of the n designated tellers participate through to 
conclusion, an election can be conducted such that each participant has very high 
confidence in the accuracy of the resulting tally and no set of fewer than k tellers 
(together with any number of conspiring voters) can (without breaking the un- 
derlying cryptosystem and thereby solving an open number theoretic problem) 
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gain more than a polynomially small advantage at distinguishing between possible 
votes of honest voters. 
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Abstract 

This paper demonstrates that Shamir's scheme ("How to share a secret", Communications of the ACM, vol. 22, no. 11, 
November 1979, 612-613) is not secure against cheating. A small modification to his scheme retains the security and 
efficiency of the original, is secure against cheating, and preserves the property that its security does not depend on any 
unproven assumptions such as the intractability of computing number-theoretic functions. 

1. How to Cheat when Sharing a Secret 

Shamir [7] proposed and solved a problem in which a secret known only to one party is to be divided among n other 
participants. This is to be done in such a way that a certain number k of these participants is necessary and sufficient 
to reconstruct the secret. Each individual participant knows n, k, and the set of possible values of the secret. The 
problem is stated more precisely as follows: 

Inputs: 

• Nonnegative integers n, j, and k < n. 

• A "secret" De {0, 1 s - I}. 

Problem: Divide D into "shares" D lt D 2 , ... , D„ suc h that 

(a) knowledge of any k shares is sufficient to efficiently reconstruct D, and 

(b) knowledge of any k — l shares provides no more information about the value of D than was known before. 

This material is based in part upon work supported by the National Science Foundation under grants DCR-8301212 
and DCR-8352093. 
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Such a scheme would be useful, for example, when some data must be replicated over n locations (say, for convenience 
or fault tolerance), and simultaneously must be protected from k — 1 security violations (for example, due to sensitivity 
of the data or mistrust among the participants). 

Shamir's solution is simple, elegant and, unlike most other protocols related to cryptography, not dependent on any 
unproven assumptions about the complexity of computing certain number-theoretic functions. Shamir's scheme for 
dividing D into shares is as follows: 

1. Choose any prime p > max(s, n + 1). Let Z ? represent the field of integers modulo p. 

2. Choose a,, Oj, ... , a t _ l e Z, randomly, uniformly, and independently. 

3. Let q(x) = D + a x x + a^ 1 + ■ ■ ■ + a k _ x x k ~ l . 

4. Let = q(i), for all 1 < i < n. (The evaluation of q(i) is done over Z p .) 

Properties (a) and (b) now follow from the interpolation theorem, which states that k points are necessary and sufficient 
to determine q(x) . (Details are given in the next section.) 

Since the scheme is intended to be useful in applications involving mistrustful participants, the following property is 
desirable in addition to (a) and (b): 

(c) There is only a small probability e > 0 that any k - 1 participants /,, i,, ... , can fabricate new shares 
D' , , Z>' i2 , ... , £>', t l that deceive a kth participant 4. Here, deceiving the kth participant means that, from 
D ' , D' ir ... , D' , k l , and Z>, t , the secret D' reconstructed is "legal" (i.e., D' e [0, 1, ... , i - 1}), but "incorrect" 
(i.e., D' / D). 

The desirability of condition (c) is particularly clear when k = 2. Without condition (c), a cheater can obtain D while 
simultaneously, and without being detected, convincing a second participant of an incorrect secret. Notice that the 
stronger version of condition (c) resulting when e = 0 is unattainable. This is due to the fact that condition (b) implies 
that for any share D, k of the secret D and any legal but incorrect secret D' # D there must exist ZJ', , D ', 2 , ... , , k _ x such 
that the collection of shares \D' , y D ... , D', t _ , D, k ] represents the secret £>', thus deceiving the Acth participant. 

Unfortunately, Shamir's scheme is not secure against such cheating. Firstly, if p = s then all reconstructed secrets are 
legal, so that it is impossible for the klh participant to detect cheating. One might guess from this that Shamir's scheme 
can be made secure by choosing p much greater than s, since then there would be only a slight chance of the recon- 
structed secret being legal. The following example shows that this is not the case. In fact, with high probability a single 
participant can deceive k — 1 others. 

Suppose that participants in i t agree to pool their shares. Participant i,, who decides to cheat, uses interpolation 

to find a polynomial \(x) of degree at most k - 1 such that A(0) = -1 and \(U) = A(i 3 ) = ■•■ = A(4) = 0. Having 
been given the share D ly participant /, announces instead the share + Now the interpolation theorem guar- 

antees that the k participants will reconstruct the polynomial q(x) + \(x), which has constant term 
i?(0) + A(0) = D - 1. Thus, the deception will go undetected unless the original secret happened to be D = 0. 
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In the next section, it is shown that a small modification of Shamir's scheme has all 3 of properties (a), (b), and (c). (In 
fact, even knowledge of both the secret D and the polynomial q(x) does not increase the probability of successful 
deception.) Furthermore the running time is polynomial in k, n, log j and log(l/e). 

One straightforward solution to the problem of cheating is to have the distributor of shares sign each share Z), with an 
unforgeable signature (such as that proposed in [5]). This is, in fact, exactly the solution that Rabin [6] chose when he 
used Shamir's scheme to solve the problem of agreement among distributed processes that might cheat. There are 2 
advantages of our scheme over the use of Shamir's scheme plus signatures: 

1. All currently known signature schemes depend upon such unproven hypotheses as the intractability of integer 
factorization, whereas our secret sharing scheme, like Shamir's, does not. In fact, our scheme is secure even if the 
conspirators have unlimited computational resources. 

2. Our scheme is exactly as easy to implement as Shamir's, thus avoiding the complications of implementing an 
additional signature scheme. 

A recent paper [2] introduced a related problem called "verifiable secret sharing". This problem is in some sense more 
general than ours, since the distributor of secrets, like the other participants, is not above cheating. In particular, the 
problem requires that the distribution of inconsistent pieces be detected. All known solutions, including the best so far 
[3], rely on unproven assumptions such as the intractability of integer factorization or the existence of secure encryption 
schemes. Thus, they have the disadvantages mentioned previously in the discussion of signature schemes. 

2. You Can Fool Some of the People All of the Time 

This section shows how to modify Shamir's scheme so that the probability of undetected cheating is less than e, for any 
£ > 0. 

1. Choose any prime p > max((i — 1) (k — 1)/e + k, n). 

2. Choose a u a l , ... , a k _ l 'vaX F randomly, uniformly, and independently. 

3. Let q{x) = D + a x x + OjX 2 + ■ ■ ■ + a t _ 

4. Choose (*,, x,, .. . , x„) uniformly and randomly from among all permutations of n distinct elements from 
{1, 2, ... ,p - 1} . Let D, = (;t„ 4) , where 4 = q(x,). 

Note that the key difference between this and Shamir's scheme occurs in step 4. The proofs of propertites (a) and (b) 
were given by Shamir, and are presented here for completeness. 

(a) Any k participants can determine the secret uniquely by interpolation, since the points jc,, x^_, ■■■ , *„ are distinct. 

(b) Suppose participants /',, U, ... , conspire to determine the secret without consulting participant i k . When the 
values of D and x,,*,,, ... ,x, are fixed, q(x,), g(x, 2 ), ... ,q(x, kl ) are functions of the random variables 
a,, Oz, ... , a t ., . Using the interpolation theorem and the mutual independence of a x , Oj, ... , a k -\, it is straightfor- 
ward to show that those k - 1 values q(x^), q(x n ), ... ,qi.x lk _ l ) are uniformly distributed and mutually inde- 
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pendent. Hence, the secret shares D,- , D, 2 , ... , O provide no more information about the value of D than do 
random numbers. (This proof is somewhat more general than Shamir's, since his assumes that D is chosen by some 
random process, or at least viewed that way by the conspirators.) 

(c) It remains to explore the probability of deceiving another participant. It will be shown that property (c) holds even 
if the k — 1 cheaters know q(x), and hence know the secret. Suppose participants / 1? ij, ... , f t _i fabricate values 
(x^, <f (x' lv t/ l2 ), ... ,(.x' , J i k _ x ) to send to participant i k Each possible secret D' € {0, 1, ... ,s — 1} defines 
a distinct polynomial qa(x) of degree at most k — 1 passing through the point (0, D') and the fabricated points 
above. If D' # D, such a polynomial q#(x) can intersect q(x) in at most k — 1 points. Participant i t will reconstruct 
the incorrect secret D 1 only if = <?(*, t ) and D' / D. Recall that x, k is a random element of {1,2, ... , p - 1 } 

- {xj v x, 2 , ... , x lk _^ }. Thus for each polynomial q&(x) with D 1 # D the probability that qg(x, k ) = q(x, k )\sat most 
(k - l)/(p - k). There are 5-1 legal but incorrect secrets, so the fabricated values yield s - 1 corresponding 
polynomials. Any one of these polynomials would deceive participant i k with probability at most 
(k — l)/(p — k). Thus the probability of deceiving participant i t is at most (j - l)(k - l)/(p - k) < e. 

It will now be shown that this scheme runs in expected time polynomial in k, n, logs, and log(l/e). It suffices to 
demonstrate that the expected time is polynomial in k, n and logp, since p may always be chosen so that log^ is linear 
in log k, log n, log s, and logO/e). A certified prime p of this magnitude can be found in expected time polynomial in 

log p [4]. The random choice of tz t , Oj, , a k _ l and (x 1 ,x 2 , ... , xj can be done in expected time polynomial in k, n, and 

log p, as can the evaluation of q(x) at n points over Z p . Finally, interpolating k points over Z p can be done in time 
polynomial in k and logp [1]. 

3. How to Keep a Secret from Cheaters 

Unfortunately, although cheaters are detected with high probability, they obtain the secret while the other participants 
gain no information about the secret. The reader can probably imagine applications in which this would be unaccept- 
able. 

A simple solution is to introduce a dummy legal value, say s. that is never used as the value of a real secret. The true 
secret D is now encoded as a sequence D' u , D a) , ... , D ( " where D u) = D for some i chosen randomly, and D'' } = s for 
all j ^ i. Each element of this sequence is then divided into shares using the scheme of section 2. 

When k participants agree to pool their shares, they reconstruct D" 1 , D a \ ... one at a time, until some D l " ^ s is 
obtained. If D l " is not legal, then cheating has occurred. The probability of cheating on the one crucial round while 
going undetected at any possible earlier cheats is less than 

r 1 + + eV + ■•• = (1 - er'r 1 . 

(This can be proven more formally by induction on t. Recall that even if the cheater suspects the secret is s, the prob- 
ability of undetected cheating is at most t.) 
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A k out of n threshold scheme of any sort known to date involves at least 
nfold message expansion at the source (where the shadows of the original message 
are produced). Also, at least k times as much text must be input to the recovery 
process as is output from it. Linear ramp schemes are more economical but they 
give only Shannon relative security [BL85]. Is It possible to retain Shannon 
perfect security and yet cut down the message expansion from at least nfold at the 
source and at least kfold at the time and place of message recovery? No. In fact 
the message expansion attained by a Shamir scheme [SH79] or the rigid version 
[BL85] of a Blakley linear scheme (these two are merely duals of each other) is, in 
a sense, best possible. Moreover this best possible expansion is slightly larger 
than just nfold and kfold. The actual expansion factors involve an additive log 
term. We assume that the reader is familiar with [SH79] and [BL85], and their 
terminology 

Let k be a positive integer. Let P and N be finite sets such that 

1 <_ k <_ n = card(N) <_ card(P) - 1 

Here card(N) stands for the cardinality of the set N. Similarly card(P). Fix 
any a which does not belong to N. Let 
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V = , P 1 ' { °> 
W = '.' P H 

where the unions are over all (k-1 )-member subsets 1 of N, and over all 
k-member subsets H of N, respectively. A k out of N threshold scheme over 
P is a pair (E,D) of maps 

E : V * P N U {a} 
D : W + P 

with the properties that 



I ij M 



D(E(*)| G ) = <|>(a) 

for every k-entry list <t> belonging to V, and every k-member subset G of N . 
As usual, the restriction E($)| G of the function 

E(<t>) : N U {a} * P 

is the k-member sublist of the n-member list E($) which consists of only those 
pairs (t, E((fr)[t]) for which t belongs to G. Similarly E ( + )| I |j [a}' 

Comment: If the k-entry list $ belongs to V then its E-image E($) is a 
N U {a} 

member of P and, thus, amounts to a list with n+1 entries. The list 

X * E($) can have two equal entries, i.e. it is possible to have X(i) = for 
two distinct members i, j of N J {a}. But when you consider X as a set of 
exactly n+1 ordered pairs belonging to (N !J {a} ) x p then no two members of 
this set of ordered pairs can coincide. For any choice of $ belonging to V we 
will define a shadow of ♦(<») belonging to P to be a member of ^| N > considered 
as an n— member subset of N * P. Thus when enough random material has been chosen 
so that the substance (i.e. message) M 01 ) has given rise to n shadows, no two 
of these shadows can coincide. This is not a subtlety. Consider a rigid Shamir 3 
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out of tl, 2, 3, 6, 8} scheme on CF(13). Let the substance he <t>(0) - 2 and 
suppose two appeals to the random number generator yield 

*(2) = 4>(8) = 2. 

Then the quadratic polynomial $ happens to be the constant polynomial 

<f>(x) - 2 = 2 + Ox + Ox 2 

As we have noted, the five shadows of <K0) - 2 are not the numbers 

+ (1) - 2 

*(2) = 2 

+ (3) =■ 2 

*(6) - 2 

♦(8) =• 2 

but are, instead, the five ordered pairs 

(1, <KD) - (1, 2) 

(2, *(2)) > (2, 2) 

(3, *(3>) - (3, 2) 

(6, 4>(6)) - (6, 2) 

(8, *(8)) =■ (8, 2). 

And no two of these five ordered pairs are equal. 

The reader might feel that our definition admits Shamir and Blakley schemes 
but rules out the one-time pad. For in this 2 out of {pad, transmission} case 
it would indeed seem possible to have 

substance = 0 
pad = 0 
transmission = 0. 
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Thus it would seem that Che two shadows (I.e. the pad and the transmission) are 
both equal to zero. We will not "address this point directly. We will, instead, 
say two things. First, one-time pads obey the conclusions of our theorem even if 
they do not obey its hypotheses. Second, a decoder could not place any reliance on 
the inference 

0 = substance 

= pad XOR transmission 
= 0 + 0 

with only two bits of information lying around: a 0 and a 0. The decoder would 
only feel confident if at least one more bit of information were available, namely 
a yes answer to the question: "Is this 0 really the pad and that 0 really the 
transmission?" We will return to this idea shortly. 

The deeper question of how to formulate a definition of threshold scheme which 
clearly describes and utilizes all the information really available to the decoder 
and which, perhaps, leads to a more inclusive theorem with conclusions as strong as 
ours will be left to the reader. 

For every (k-l)-member subset I of N, we define probability density 
functions 

u : P {a} + [0,1] 
v x : P 1 ♦ [0,1] 

A x - u x v x ; P 1 U {a} + [0,1] 

in such a way that is a uniform pdf. Such a threshold scheme is called 

Shannon perfectly secure through the disclosure of k-1 shadows. The reason for 
this is that, on the basis of the probability assessment [BL81] based on these 
measures, we have the equality 

a posteriori probability that <fr(a) = ir , given that *j G " * 
- a priori probability that +(a) - * 
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for every 11 belonging Co P, every subset G of N such Chat card(G) » k-1, 
and every function *t> : G * P. 

Theorem 1: Let (E, D) be a k out of N threshold scheme on P. Suppose that 
it is Shannon perfectly secure through the disclosure of k-1 shadows. Suppose 
there is a way of representing shadows as bit strings. Then the average length of 
a shadow is no less than log ( [card(P) ] [card(N) - k + 1]) bits. 

Example I: In Shamir's scheme a shadow is a pair ( x, p(a(x)) ). The nonnegative 
integer x tells which shadow it is. The substance is p(0). a(x) is a member 
of GF(2^) which has been fixed and published in advance for all x belonging to 
{1,2, n} . p is a polynomial function p: GF(2 L ) * GF(2 L ) of degree k-1. 

Now it is possible that p(a(x)) » p(a(y)) for x * y. But no two shadows can 
coincide. This is true because the equality ( x, p(a(x)) ) = ( z, p(a(z)) ) 
simply means that you are comparing two copies of the same shadow, not two shadows, 
since x - z. So Shamir's scheme satisfies our hypotheses. And it is right at the 
lower bound if L - 3 , k « 4 , n = 7 . A pair <w,p(w)) could be formatted as a 
3-bit string prefixed by as many bits as needed to identify one of 7 shadows. If 
p(w) = b(3) b(2) b(l) is always a string of 3 bits then the shadows are of the 
forms : 

b(3) b(2) b(l); 
1 b(3) b(2) b(l); 
1 0 b(3) b(2) b(l); 
1 1 b(3) b(2) b(l); 
1 0 0 b(3) b(2) b(l); 
1 0 1 b(3) b(2) b(l); 
1 1 0 b(3) b(2) b(l). 

their average length is (3+4+5+5+6+6+6)/ 7 » 5 bits. But the bound here is equal 
to L + log(n-k+l) = 3 + log(7-4+l) = 5. Somebody might say that you could also 
omit a high order bit b(3) If it equals 0. But then you would actually have to 
symbolize the comma In the expression (x,p(a(x))) some way. And this would add 



271 



bits Co each word. You could go at it the other way and write out all the x 
values as 3-blt numbers and let the field elements be variable in length. In 
this approach you have 

b(3) b(2) b(l) x(3) x(2) x(l) 

dropping high order b bits which are zero. But here again the possible shadows 
are : 

x(3) x(2) x(l); 
1 x(3) x(2) x(l); 
1 0 x(3) x(2) x(l); 
1 1 x(3) x(2) x(l); 
1 0 0 x(3) x(2) x(l); 
1 0 1 x(3) x(2) x(l); 
1 1 0 x(3) x(2) x(l); 
I 1 1 x(3) x(2) x(l). 

The average length is now ( 3+4+5+5+6+6+6+6) /8 = 5.125 bits. 

This is one example of a general phenomenonon. A Shamir scheme over GF(2") 
achieves the theorem's bound, L + log(n-k+l) when n-k+1 is an integer power of 
2. 

Example 2: Consider a one-time pad for transmitting messages belonging to a set P 
of cardinality 4. Here k = card(N) = 2. On the face of things it would appear 
that the average shadow size is 

(1 + 1 + 2 + 2)/4 - 3/2 

which is smaller than the bound 

log(4) * (2-2+1) - 2 

in the theorem. Does this mean that the theorem is merely a curiosity with so many 
hypotheses that it cannot usefully apply to the simplest cases? Quite the 
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contrary. When we look more closely at this example we will find that the decoder 
must have, on the average, four bits of information when he applies the decode 
process to the two shadows he requires (i.e. the secret pad and the nonsecret 
transmitted message. We may as well let P = {0, 1, 10, ll}. There are 16 
possibilities 





0 


secret 
1 


shared 
10 


pad 
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public 












trans- 
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10 


11 


mitted 












message 
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10 


1 1 
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1 




11 


11 


10 
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1 




secret 


message 


to be communicated 



A naive observer might conclude that the 16 possible outcomes lead to 16 
decodes with a total number of input bits equal to 

(2+2+3+3) + (2+2+3+3) + (3+3+4+4) + (3+3+4+4) - 48. 

Such an observer would believe the 1 ,5-bits-per-shadow average alluded to above. 
The error in such a viewpoint lies in not looking at the whole picture. When two 
shadow words (e.g. 1 and 11) are ready to be XORed together to produce the 
reconstructed plaintext word 10 (i.e. the substance 10), the decoder does not 
have merely three bits of information. Some person or device has inspected the pad 
and found it to contain a 1, and has monitored the channel and verified that a 11 
was actually received in what looks like a legitimate transmission. Thus there is 
at least one more bit of information available at the decoder. This bit 
corresponds to a yes answer to the question "Does the pair consisting of 1 and 
11 constitute a valid input, one consisting a word from the pad and a word 
transmitted in the agreed manner down the channel? The decoder thus has 4 bits 
of information when it forms 1 XOR 11 - 10. When we take this into account and 
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average over the 16 possible pairs we find the average number of bits available 
at decode to be l/16th of the sum 

(3+3+4+4) + (3+3+4+4) + (4+4+5+5) + (4+4+5+5) = 64. 

Hence the average number of bits per shadow is 2. 

It follows that the one time pad, which does not seem to obey the hypotheses 
of Theorem 1 (because pad = 0, transmission = 0 is allowable, in violation of the 
assumption that no two shadows are equal), nevertheless obeys its conclusions. 

The purpose of Example 2 is to make the following point. We believe that the 
bound in Theorem 1 cannot be bettered if one takes into account all the information 
available to a decoder. In other words we believe that our hypotheses are unduly 
restrictive and that the message bandwidth expansion attained by, for example, 
certain rigid Shamir schemes [SH79] is best possible no matter how you define a 
shadow. Decode isn't possible if you merely have a few members of a message 
space. You must have some further information. And the amount of further 
information needed is as much as if you knew where each of your message space 
members occurred in the output stream of the encoder. 

The proof of the theorem. 

Now fix any (k-l)-member subset I of N. Note that a is not a member of 
I. Fix any * e p. Fix any 4 1 e p 1 and let 3 W» ,<x ,* ] £ P 1 U ^ be the k-entry 
list such that 

0 [*,a,*](t) = <Kt) 
for every t belonging to I, and such that 

g [*,a,iT](a) = n. 

Define f: P + P by requiring that 

f(ir) = D(S[i|\a,Tr]). 
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Because of Shannon perfect security, f must be a surjection. For, otherwise, 
possession of k-1 shadows would enable somebody to rule out some values of the 
substance as impossible. In fact for every z belonging to P and every s 
belonging to N \I there exists Y[z,s] belonging to P such that 

D(5[+,s,Y[z,s]l) = it 

where 

S[*,s,Y[z,s]](t) - *(t) 
for every t e I and such that 

<5(+,s,Y[z,s]](s) = Y[z,sl. 
Since no two shadows of * can be equal for any k-raember subset H = I U {s} of 
N it follows that there are at least n-k+1 such shadows (s,Y[z,s]). This is 
true for every w £ P. Hence, for any choice of a k-meraber subset H of N 
there are at least card(P) * (n-k+1) preimages. 
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Abstract. This paper describes some recently successful results in the CMOS VLSI 
implementation of public-key data encryption algorithms. Architectural details, circuits, 
and prototype test results are presented for RSA encryption and multiplication in the 
finite field GF(2 m ). These designs emphasize high throughput and modularity. An 
asynchronous modulo multiplier is described which permits a significant improvement in 
RSA encryption throughput relative to previously described synchronous 
implementations. 
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1. Introduction 

The RSA algorithm provides a well known, secure implementation of a public-key cryptosystem 
[ 1 ,2,3]. The arithmetic operations required are exponentiation and modulo reduction involving numbers 
represented by several hundreds of bits. A VLSI approach is justified but presents challenging problems in terms 
of control generation and distribution circuitry, minimization of storage register size and achieving an adequate 
throughput rate. Rivest has given a recent review of other attempts to design an RSA chip [4]. Kxhanski [5] h8s 
described a cascadeble chip which implements 32-bit operations on each chip at a rate of 5kbits/sec for 5 1 2-bit 
encryption; however, it appears that considerable redesign is required to compress the implementation to one or a 
few chips. CYLINK has recently introduced a chip which can perform 5 1 2-bit encryption at 6.4kbits/sec in 2um 
CMOS [6]. A faster design is currently under development at Sendia National Laboratories [7], which uses delayed 
carry adders to avoid carry propagation delay. This approach is said to be capable of 25kbits/sec in 2um CMOS but 
has added complexity due to the difficulty of performing comparisons, storage of two K-bit numbers for 
intermediate results, where K is the number of bits in the modulus, and conversion of the result from the delayed 
carry representation to binary. Also, the MSB of the modulus must be justified (the message is shifted equally) and 
the ciphertext returned to LSB justification at the end of the encryption and, as well, the modulo multiplication 
results need to be shifted 1 1 bits. 

In this paper we describe a bit-slice architecture which incorporates the RSA control functions in 
the slice along with the arithmetic (modulo multiplication) functions. Registers longer than the modulus are 
avoided using concurrent modulo reduction. A 32-bit prototype has been fabricated in 3um CMOS and successfully 
tested. Based on test results and simulations, a throughput rate of I kbits/sec should be possible for 512-bit 
encryption with a 2um CMOS process. 

In an effort to substantially improve the throughput rate of the bit-slice implementation, a new 
bit-slice design h8S been developed employing asynchronous (self-timed) ripple adders [8]. With a small penalty 
In extra control circuitry, an increase in throughput of up to 40 times can be obtained. A 22-bit prototype in 3um 
CMOS has been successfully fabricated and tested and a 64-bit version is currently being fabricated. 

Multiplication in the finite field GF(2 m ) is employed in several data encryption algorithms as 
well as other areas of communications [7,9]. Recent work has shown that cryptographic algorithms based on 
arithmetic in GF(2 m ) require very large values of m for security [ 10,1!]. In particular, values of m in the range 
of 1500 bits are recommended However, for large m, efficient VLSI implementation of the multiplication function 
requires careful algorithm design to provide modularity and concurrency as well as simplified control 
requirements. A new multiplication algorithm will be described along with a suitable bit-slice VLSI architecture 
[12]. Test results from an 8-bit prototype will be presented. 

2. Modulo multiplication algorithms 

The RSA encryption and decryption transformations involve exponentiation and modulo reduction 
of a text data block possibly of several hundred bits. The arithmetic process involved is modulo multiplication 
which requires addition, subtraction and shifting. 

Brickell [7] and Blakely [13] have proposed modulo multiplication algorithms in which 
multiplication is performed concurrently with modulo reduction. This differs from the algorithms used by Rivest 
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[14] and Simmons and Tavares 1 V5] where multiplication of two K-bit numbers is first performed and then the 
resulting 2K-bit number is modulo reduced. The maximum word length is (K+ 1 ) bits using concurrent modulo 
reduction. Concurrent algorithms save storage space, reduce adder carry propagation time and require fewer clock 
periods. Only algorithms of this type will be considered in the remainder of this section. 

All of the concurrent algorithms which restrict number lengths to (K+l) bits perform 
multiplication in one of two ways. The most familiar way of multiplying two numbers is to add shifted versions of 
the multiplicand or zero depending on the value of the multiplier bits. An example of this technique is shown below 
in Example Ha). The second way involves adding the multiplicand or zero to the running total end shifting the 
running total, as shown in Example 1(b). 



Example 1: Binary multiplication 

(a) (b) 

1010. 1010. 

xl 1Q1, x llOI. 

1010. 1010. 

00000. 1010. 

101000. 0000. 

+ 10IOOOO * 1010. 

10000010. 10000010. 



Most techniques of modulo reduction rely on adding some positive or negative multiple of the 
modulus. With the following concurrent modulo reduction algorithms, the number being reduced is smaller in 
magnitude than twice the modulus. The modulus is either added or subtracted to reduce the absolute value of the 
number below the magnitude of the modulus. Modulo reduction can also occur indirectly. An example of indirect 
modulo reduction of the running total is to first add or subtract the modulus from another number such as the 
intermediate product (IP) and then add the adjusted IP to the running total. With the two methods of performing 
multiplication illustrated in Example 1 , a variety of methods for concurrent modulo reduction can be employed all 
of which must prevent overflow by finishing with a number less in magnitude than the modulus. The algorithms 
operate correctly with starting values less in magnitude than the modulus, so if overflow occurs, the magnitude 
would continue to increase in subsequent periods. The conditions for concurrent modulo reduction, without 
overflow, are summarized below. 

If a number, A, which is less in magnitude than the modulus, n, is multiplied by 2 
or added to another number, B , which is also less in magnitude than the modulus, 
the intermediate result can be modulo reduced In the time for one addition. In the 
case of a positive intermediate result the modulus is subtracted and in the case of a 
negative intermediate result the modulus is added. 

i.e. ifOiA<n if 0 i A < n and 0 i B < n 

then2A-n<n thenA+B-n<n 
and 2(-A)+n > (-n) and (-A)+(-B)+n > (-n) 

A number of useful modulo multiplication algorithms will now be discussed. 
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Algorithm A 

A flow graph of the algorithm is shown in Fig. 1 which is a modification of Blakely's algorithm 
[ 1 3]. Multiplication is done by shifting the intermediate product ( IP) and modulo reducing if the IP is greater than 
the modulus [16]. Then, if the multiplier bit is a 1 , the IP is added to the running total. After this, the running 
total is modulo reduced if necessary. Both the IP and the running total are always positive. A disadvantage of this 
algorithm is that the running total may require two consecutive additions per multiplier bit. 



A-vultiplier P»inter«ediate product 

8s*ul tipl icond S^rwiing total 
rewodulus i-0, P<0>=8, S<0)=0 

K**ult!pl ler length 




Result=S0O 



Fig. 1. Modulo multiplication algorithm A. Three adders are used with an average 
of 1 .5 addition phases per multiplier bit. 

Algorithm B 

A concurrent modulo multiplication algorithm was suggested by Simmons and Tavares [ 1 5] which 
uses multiplication with the running total multiplied by two each period as shown in Fig. 2. A normal cycle starts 
with the running total being multiplied by 2, followed by adding the IP. Then the running total is modulo reduced 
using en add/subtract scheme. However, overflow occurs because the combination of multiplication by 2 followed 
by addition of the multiplicand cannot always be modulo reduced with one addition or subtraction. A necessary 
modification is to add a negative IP if the running total is positive. This negative IP is generated during the 1st 
period by adding the positive multiplicand to the running total and then subtracting the modulus to produce a 
negative result. The negative IP is then stored in a separate register for future use. With this method the final 
result must be adjusted positive by adding the modulus if necessary. A maximum of one period is required for this 
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step. Algorithm B requires only 2 adders hut, as with algorithm A, two consecutive additions may be required per 
multiplier bit. 



frWiltiplior 


Snrming total 


B-Klltlpl Icand 


K**iltiplier length 


mxJulus 


i=K, S(k)=0 



t 



| S<i-1)-S<i-1>-n 



| (B-n)=S<l-l) 




Fig. 2. Algorithm B for modulo multiplication. Two adders are used with an average 
of 1.5 addition phases per multiplier bit. 

Algorithm C 

It was thought desirable to consider a modulo multiplication algorithm which would perform all 
additions during one addition phase per multiplier bit and with a reduced number of adders. An algorithm which 
uses only 2 adders, which operate concurrently, is algorithm C shown in Fig. 3. In this algorithm, the running 
total is multiplied by 2 each period. Then if the multiplier least significant bit (FILTlsb) is 0, the running total is 
modulo reduced. If the MLTlsto is 1 , two additions are performed and one of the results is selected as the new modulo 
reduced running total. This algorithm requires more area because four intermediate products, P, P+n, P-n, and 
P-2n, need to be first generated then stored. Due to the increase in area required for algorithm C, it was not 
considered further. 
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Fig. 3. Algorithm C for modulo multiplication. Two adders are used with one 
clock phase per multiplier bit. 



Algorithm D 

Algorithm D performs three additions in a single phase per multiplier bit as shown in Fig. 4. 
Asymmetrical clock phases ore generated with a shortened phase used to set up the adder inputs. As with algorithm 
A, the previous IP Is multiplied by 2 each period. Algorithm D differs In running total generation. If the running 
total is positive, a negative IP is added to the running total. On the other hand, if the running total is negative, a 
positive IP is added. This keeps the running total from overflowing and allows it to be generated in one step. The 
positive IP is generated exactly the same as the IP in algorithm A. At the same time as the positive IP is modulo 
reduced, twice the modulus is subtracted from twice the previous positive IP. This results in an IP between 0 and 
-2n. After K periods, where K is the number of bits in the modulus, the multiplication is finished but the running 
total may need to be adjusted positive by adding the modulus. This takes a maximum of two periods. Algorithm D 
uses three adders with 1 concurrent addition per multiplier bit and provides a useful compromise between speed 
and area. 
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Fig. 4. Modulo multiplication algorithm D. Three adders are used 
with one phase per multiplier bit 



Algorithm E 

An efficient concurrent modulo multiplication algorithm may be devised using the modified Booth's 
Algorithm (MBA), where the multiplier is shifted two bits at a time. Two consecutive additions per clock period 
would be required, but the number of clock periods would be reduced by half. This algorithm will be faster if the 
constant circuit delays in a period are larger than the average addition time which would be the case with a fast 
adder. In the case of the adder to be described later, approximately alOS to 15$ increase in area would result 
along with 5056 improvement in speed compared to algorithm D. 

The modified Booth's Algorithm (MBA) is frequently used to improve the speed of multipliers 
[17]. Through encoding of the multiplier bits, the number of intermediate products to be added is reduced by half. 
Booth's Algorithm works by skipping over any contiguous string of all I's or all O's. A string of all O'a does not 
require any IP's to be added, but a string of I s requires an addition and a subtraction. For example, if the 
multiplier is 1 1 100, ( 100000 X multiplicand) is added and ( 10 X multiplicand) is subtracted. The MBA looks at 
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the three least or most significant multiplier bits at a time depending on the direction that the multiplier is being 
shifted and shifts the multiplier by 2 bits each clock period. The intermediate products are multiplied by 0, ± 1 , 
and ±2 before accumulation as shown in Table 1 . 

Table 1 . Encoding of multiplier for the modified Booth's Algorithm. The centre bit of the 
three bits being encoded is referred to as the i^ bit. 



Multiplier bits 




Factor of IP 


Operation 


i+1 i 


i-1 


accumulated 




0 0 


0 


0 


no string 


0 0 


1 


+ 1 


end of string 


0 1 


0 


+ 1 


a string 


0 1 


1 


*2 


end of string 


1 0 


0 


-2 


beginning of string 


1 0 


1 


-1 


-2+ 1 = - 1 


1 1 


0 


-1 


centre of string 


1 1 


1 


0 


middle of a string 



Algorithm E is diagrammed in Fig. 5 and uses a total of four adders with two adders operating in 
each phase of a two phase clock. The intermediate products are generated as in algorithm A, but multiplied by 0, 
± 1 , or ±2 before accumulation. Two positive IP's are generated each period consecutively, corresponding to 2 and 
4 times the previous IP. Each IP is calculated by shifting the previous IP by 1 bit and subtracting the modulus if 
necessary. Each period, the appropriate IP is selected, inverted if a negative IP is required and added to the running 
total. The running total is then modulo reduced by either adding or subtracting the modulus. Two additions are 
performed each period to generate the IP's and two additions are used to generate the running total. An algorithm 
which uses fewer additions could be devised at the expense of more memory. 

Comparison of modulo multiplication algorithms 

The algorithms presented in this section employ concurrency of multiplication and modulo 
reduction to improve the bit throughput rate. A comparison of six modulo multiplication algorithms is given in 
Table 2. The selection of the "best" algorithm depends on system parameters such 8s the delay required for 
additions relative to constant circuit delays, the availability of non-symmetric clock phases, asynchronous timing 
and memory. Algorithm D was chosen for implementation because it is almost as fast as algorithm C and occupies 
about the same area as algorithm A. Algorithm E h8S only been considered recently. Algorithms A and B are closely 
matched in speed and area. Long addition times relative to constant delays result in algorithms D and E operating at 
the same speed, while short addition times make algorithm E twice as fast. With the pulse-timed adder to be 
described in section 4, the constant circuit delays are at least twice as large as the average addition time, which 
would make algorithm E at least 5055 fester than algorithm D. 
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R"aultlplier P= intermediate product 
B-Bultipl icar>d S-rurming total 
n=»oo\llus 1=0, P(0)=8, S<0)=0 

K^wultipl ier length 




Fig. 5. Modulo multiplication algorithm E. Four adders are used with an average of 1 .75 
clock phases and the modified Booth's Algorithm. 

3. RSA implementation 

Architectural aspects 

Modulo multiplier architecture. A hit slice architecture for algorithm D is shown in Fig. 6. With a fast adder, 
communication delays become more significant. Signal flow within the bit slice is less time consuming than the 
propagation of signals, such as clock signals, MLTlsb, START, ADDER 1 carryout, and BEGIN which must be sent to 
ell slices. A completion signal generator subsystem (CSG) is added if pulse-timed adders are used (described in 
section 4). 

A sum term generator controller (STGC) is required to select the input to the running total adder. 
This subsystem is a 4 to 1 multiplexer, which selects from Cn, 6nd, IP, and (2IP(i-l )-2n) as shown in Fig. 6. 
The STGC is controlled by logic outside the bit slice which has inputs: MLTlsb, SSRsign, start, phi2 , and K or K+ 1 . 
The signals K or K + 1 are from the shift register counter which flags the multiplier to adjust the result positive. 
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Fig. 6. A bit-slice architecture for algorithm D. 
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RSA architecture. Three slices of a new bit-slice RSA architecture which includes the implementation of modulo 
multiplication algorithm D described above i3 shown in block diagram form in Fig. 7. Modulo exponentiation is 
performed as a series of modulo multiplications. The message is repeatedly squared and modulo reduced and a 
running-product modulo multiplication is performed if the corresponding exponent bit is a one. Modulo 
multiplications are carried out by the subsystems in the upper half of the bit slice while the RSA control functions 
are implemented in the lower half. The same architecture can be used with other modulo multiplication algorithms. 
Input and output of data is synchronous and concurrent. 

A general purpose register (STRSR) sets as a shifting or storage register with its function 
determined by control logic outside the bit slice as shown in Fig. 8. The use of this dual purpose subsystem 
considerably reduces the number of custom subsystems required. The circuitry is compact because control logic 
for the gates is outside the bit slice. This saves area because one set of control logic is used for all slices. Control 
logic delay is not a factor since the storage operations are not speed limiting. Standard cells would be suitable for 
the control logic outside the bit slice. For RSA operation, the message is shifted into both the square term storage 
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Fig. 7 Bit-slice architecture block diagram (3 slices) 
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register (SQTSTR) and the multiplication running total storage register (MULSTR). A single modulo multiplication 
can be performed by loading the multiplicand into SQTSTR and the multiplier into MULSTR. 



STATIC 




j J 1 OUTct 

LORD let LOflDI 

Fig. 8. A multiple function data register (STRSR). 



Modulo multiplications are timed with a shift register counter in the bottom row of Fig. 7. The 
completion of an RSA encryption transformation is set by the END-SIGNAL which allows for exponents of different 
lengths. The end and exponent registers (ENDSCR and EXPSCR) shift after 1 or 2 modulo multiplications, 
depending on the exponent bit. Several external control signals are needed: BEGIN starts the encryption; MODMULT 
sets the chip for a single modulo multiplication; EXT sets the chip to external synchronous timing for data I/O or 
synchronous testing. The total number of pins required is about 1 2 depending on the actual application. 

Asynchronous operation of the adders can be accommodated using a completion signal generator 
subsystem (CSG). Fig. 7 shows a pair of CSG subsystems, CSGIeft and CSGright which detect all three carry outputs 
every second slice. For synchronous operation, the CSG subsystems are not required. 

Asynchronous aspects 

A self- timed adder Several synchronous adders were considered such as carry lookahead, carry select, and the 
binary lookahead carry adder [ 18]. These adders had disadvantages such as high area, irregular layout, slower 
speed, or the difficulty of providing non-symmetric synchronous clxk phases. Past approaches to self-timed 
adders have been speed independent or Muller circuits which use double rail logic. The disadvantages of this method 
are slower carry propagation and several times greater implementation area. Pulses have been used successfully 
to time asynchronous operations, such as asynchronous access of stored state registers [19]. When access is 
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requested, an edge detector / pulse generator circuit forms a pulse to time the operation. 

Anew pulse-timed adder which borrows ideas from Hayes [ 1 9] , is shown in Fig. 9 in which carry 
propagations are detected in a precharged ripple adder. Carry outputs are reset to 0 during the precharge phase, so 
only propagations of 1 have to be detected. An edge detector / pulse generator circuit provides enough delay for the 
carry signal to propagate to the next pulse subsystem. A pulse subsystem is only half as large os a low area 
precharge adder slice. Pulses are combined to creste the completion signal with a single active load pullup NOR 
gate. 



Pulse self-tiied ■odifieation for precharoe-carru adders 

I _, V (post addition 

(phi 1 co.pleteT^ 1 H V 

7 

H L (addition complete) 



Edge 

detector 
/ pulse 
generator 




Ful 1 adder 



PUlSEout 



JL 



del 



1 



out 



CHRRYout 



IH 

Uariable delay 
subsystet 




Edge detector / pulse generator Uariable delau aubstjstei 

Fig. 9. Self-timed adder circuit details. 

Several features of the adders make this scheme feasible. Overlap of the pulses prevents 
premature generation of the completion signal. The pulses are made several times wider than necessary since the 
resulting delay at th8 end of the additions is absorbed by subsequent RSA operations. The mean of the maximum 
number of consecutive carries in a 5 1 2 stage adder is only 8.2 with a variance of 3.3 (almost 60 times faster than 
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a ripple adder alone, on average!). The probability of less than 5 carries is negligible so a starting delay equivalent 
to 4 carries can be provided to overlap the first pulses. A pulse subsystem is not required every slice and all three 
adders calculating during the same phase can signal with the same NOR gate pulldown. 

Optimization of the adder speed must be balanced against area considerations. A pulse subsystem 
every slice is the fastest on average. However too many pulldowns slow down the large NOR gate. The number of 
pulldowns can be reduced by grouping pulses with smaller NOR and NAND gates first. These variables were adjusted 
to achieve low area and a regular layout. 

Clocking In combining the modulo multiplication algorithm of Fig. 4 with the self-timed adder of Fig. 9 in the 
bit-slice architecture of Fig. 7, several control and timing considerations must be addressed. 

The clock has to be capable of switching between asynchronous and synchronous timing to allow 
synchronous I/O and testing. Also, when the RSA encryption is finished, the clock should stop with the ciphertext 
safely in a storage register. These functions are implemented with random logic as shown in Fig. 10. A Muller C 
element is used to prevent the PHI2 clock signal from going low until the PHI I clock phase has risen to prevent a 
race condition. This allows the PHI2 falltime to be set to the minimum value and only the risetime of the variable 
delay elements have to be adjustable. 

Driver delays form a significant part of the clock period. Delays for generating some control 
signals cannot be avoided but the delay of the clxk drivers can be largely prevented from adding to the clock period. 
Most of the falltime of clock phases does not contribute to the clxk period because the clxk phase widths can be 
externally adjusted. Also the non-overlap time can be externally minimized as shown in Fig. 10. In the 8 and 24 
slice implementations, the inverted driver outputs, cPH1 1 and cPHI2, were fed back to the clxk controller rather 
than delayed versions of cPHI I sig and cPHI2sig. This guarantees that there is sufficient non-overlap time but it is 
not adjustable and results in an approximately 30£ larger clxk period. 

For some parts of the circuit, considerable area would be required to generate completion signals 
logically. Delay elements were used instead with active load resistors to time these circuits. Active loads can 
provide sufficient dels/ in a small area and can be controlled by an external DC voltage (RTct in Fig. 9). The new 
data rate control scheme employs a single pin to control all delay elements. An intermediate DC voltage is first 
selxted, say, 2.5 Volts. Then the gate aspect ratio of exh xtive load is chosen to provide the expxted circuit delay. 
During testing, the DC voltage is reduced to find the maximum operating rate (similar to finding the maximum 
clxk rate of a synchronous chip). The accuracy and stability of the xtive loads can be improved by increasing the 
gate length and width while keeping the gate aspect ratio constant. This asynchronous timing method has the 
advantages of rate control lability, low area, elimination of global clxk distribution, and allows different processes 
to be timed at their own rate. Lastly, it uses only 1 pin. Corrxt chip timing is ensured since the delay of exh 
variable delay element can be increased arbitrarily. 

Synchronization failure can occur when gating an asynchronous signal to a synchronous system. 
Only latching the END signal is prone to this type of failure. In an encryption environment, a host processor would 
periodically sample the END signal and there is a small probability that a metastable state would be detected. 
Increasing the settling time rapidly decreases the failure rate to an acceptable level [201. The required settling 
time is negligible compared to the encryption time. 
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Fig. 1 0. Clock controller for the RSA chip with algorithm 0 and asynchronous adders. 
The non-overlap time is adjustable. 



Implementation 

Output speed limits. Output driver current will often limit a synchronous clock rate while an asynchronous clock 
is not I/O limited since there is no i/0 during the RSA transformation. The estimated average asynchronous clxk 
rate in 2um CMOS is as high as 30Mhz. This advantage of asynchronous timing will become more pronounced as 
processes scale down further. Circuit speed scales down as A^ [21], where A is the scaling ratio, if the power 
supply voltage is held constant. However, the driver speed scales down as A/ln(A) [22]. Asynchronous techniques 
could also be applied to any synchronous algorithm to allow the RSA encryption to proceed faster than the I/O speed. 



The data rate of algorithm n Algorithm 0 requires one clock phase for addition plus a shorter phase to set up the 
adder inputs. The throughput rate is affected by the on-chip communication delays which are hard to estimate 
accurately since they depend on the particular manufacturing process. Estimates based on SPICE simulations of 
signal propagation delays can be mode. A calculation of the bit rate for algorithm D with the pulse-timed adder 
yields a rate of 40kbits/sec. Details of this calculation are provided in Appendix A. This corresponds to an average 

asynchronous olook rate of 30Mhz. A slower synchronous olock rate would ba used for l/Q, but a negligible number 
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of clock periods are required for I/O. At the expected clock rates, small variations in the circuit speed have a large 
effect on the throughput rate, but a conservative estimate of 30kbits/sec appears reasonable. 

A synchron ous bit-s1ire implemfintntinn Fig. 1 lis a photomicrograph of a 32-bit prototype chip executed in 3um 
CMOS. Algorithm A has been used for modulo multiplication. A different architecture than that shown in Fig. 7 is 
employed in the synchronous implementation, which simplifies the control logic external to the slice at the 
expense of more custom registers. The bit slices run horizontally and are comprised of 14 subsystems which 
implement modulo multiplication, exponentiation and storage functions. Input and output data flow Is serial which 
minimizeo the total pin count. This chip has been tested and shown to correctly perform RSA encryption (or 
decryption) at a synchronous clock speed of 200kHz, which corresponds to a rate of 4kbits/sec. The synchronous, 
pre-charged adder delay per bit has been measured to be 8 ns in Sum CMOS from which a throughput rate of 
1 kbits/sec for 512-bit encryption is predicted for a 2 micron CMOS process. For 3um CMOS end 32-bit 
encryption, a rate of 5MHz and lOOkbits/sec encryption is predicted. The low measured speed is difficult to 
explain since a 7-bit prototype in 5um CMOS was found to operate at 2MHz. More samples are being bonded for 
testing which may indicate if process parameter variations are involved. • 




Fig. 1 1 . Photomicrograph of synchronous 32-bit RSA prototype implemented in 3um CM05. 

Asynchronous implementation Fig. 1 2 is a photomicrograph of a 24 slice implementation of an asynchronous RSA 
design b8sed on algorithm D, the architecture described in Fig. 7 and the pulse-timed adder. The data analyser 
display for a 22 bit encryption is shown in Fig. 1 3. Input and output of data are overlapped, so both input and the 
previous output can be seen at the same time. Both inputs and outputs start least significant bit first. 
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Fig. 1 2. Photomicrograph of asynchronous 22-bit RSA prototype implemented in 3um CMOS. 




Fig. 1 3. Data analyzer display for a 22-bit computation: 584, 932 283 ' 948 mod( 1 ,283,476) = 19,876. Due to 
the slow sampling rate PHI2ext appears to stay at 0 sometimes. A single input set was cycled, so this ciphertext 

corresponds to this input set. 

The average asynchronous clock rates of these designs provide a good indication of the accuracy of 
the speed extrapolations made in Appendix A. In 2um CMOS for 512-bit encryption, the estimated optimized 
throughput was 40kbits/sec with an average clock rate of 30MHz. In 5um CMOS for an 8 slice prototype, the 
average clock rate was found to be 3Mhz and the encryption rate was 300kbits/sec, while in 3um CMOS for 24 
slices the average clock rate was found to be 5MHz and the encryption rate 1 50kbits/sec. The estimated optimized 
average clock frequencies for these processes were 6MHzfor 5um CMOS (8 slices) and 13MHzfor 3um CMOS (-24 
slices). Additional samples are being bonded to determine if the slower than predicted clxk rate is related to 
process variations. In any case, there are some further steps which can be taken to increase speed, including use of 
doubla meteli28tion, so that ;t seeme possiblg that the predicted performance can be attained. 
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Work In progress. Expansion of the asynchronous design to perform transforms Involving many hundred bits is 
necessary to verify the speed advantages of the architecture and algorithms described here. The 64-bit chip 
presently being fabricated in 3um CMOS will help to verify the extrapolations which were made to predict the 
speed of a 5 1 2 bit design in 2um CMOS. A 1 28-bit version has also been designed and will be fabricated in the near 
future. 

Significant further improvements in the throughput rate of RSA encryption are not likely to come 
from faster adders. With the asynchronous pulse adder , constant circuit delays take about twice as long as the three 
concurrent additions. The constant delays which result from signal propagation delays (excluding additions) are 
difficult to reduce in this style of architecture. Thus, a faster adder could only achieve about a 30£ speed 
improvement at the most Future improvements may be possible with new architectures. 

Higher bit rates can be achieved by interconnecting chips in several patterns. One suggested 
architecture is a systolic arrangement of modulo multipliers [23], This design cascades at least K modulo 
multipliers with a systolic data flow, where K is the number of bits. New systolic arrangements of asynchronous 
encryption units are faster and can be built with any number of encryption units. Binary tree input distribution, 
with token ring chip selection is the most efficient and achieves the same performance as a single encryption chip. 

4. A multiplier for the finite field GF(2 m ) 

Arithmetic operations in the finite field GF(2 m ) are quite different from ordinary integer 
arithmetic operations. Addition dees not involve carries and is thus easier to perform than integer addition, but 
multiplication is still a fairly complex and difficult task. Most circuits proposed [9,24] are not suited for use in 
VLSI systems. They require excessive silicon area, complicated control schemes, complex wire routing, have 
nonmodular structures, or lack concurrency [12]. 

The systolic multiplier developed by Yeh, Reed and Truong [25] is suitable for VLSI 
implementation although it is only moderately compact and has a latency of 2m time units whicn may be 
undesirably long for some applications. The implementation of the Massey-Omura multiplier [26] is simpler than 
the systolic version and operates with a smaller latency, but is less modular and has a circuit structure and 
operating speed which is dependent on the size of the field. 

The architecture to be described here uses an approach similar to the one outlined by Laws and 
Rushforth [27], It is modular and therefore easily expanded, compact, and requires few control signals. The 
multiplication time and latency are m time units. 

The algorithm 

It is assumed that the reader has a basic knowledge of finite fields. If A(x) = a m _ |X m "' +...♦ ajx 
+ a 0 andB(x) = b m _ t x m ~ 1 +... + b jx + b 0 are two elements of GF(2 m ), then their product, A(x)B(x)modF(x), 
is P(x) = p m _|X m " ' +... + p jX + Pq, where F(x) = f m _ ]X m "' +... + fjx + 1 is an irreducible polynomial. 
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The multiplication, A(x)B(x)modF(x), can be expanded by multiplying each term of B(x) by 

A(x): 

p(x) = A(x)B(x)modF(x) 

= {A(x)b m . 1 x m_, modF(x) + ... + A(x)b,x modF(x) 

+ A(x)b 0 modF(x)} modF(x) 

The first term A(x)b m _ t x m " ' modF(x) is computed, followed by each successive term which is 
added to it and the sum reduced modF( x) until all the terms have been used 

If A = [a m _ 1 ,a| ,a 0 ] is the vector of coefficients of A(x) and similarly for B(x), P(x) and 
F(x), then this algorithm can be represented by the flowchart in Fig. 14. Element A is added to the intermediate 
product, P, whenever the current bit of B, b|, is a 1. F is added whenever the most significant bit (MSB) of P is 1 , 

which indicates that modulo reduction is necessary. These two decisions are carried out simultaneously. If the field 
is of degree m , then m steps are needed to complete a multiplication. 
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Fig. 14. Flowchart of GF(2 m ) multiplication algorithm. 



Architecture 

The multiplier architecture is shown in Fig. 15 for the field GF( 2^). Registers a.j, fj and Pj hold 
A, F and the intermediate product P, respectively. The MSB of F, which is always 1 , is actually not used in the 
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calculation. The state of bj, latched with a flip-flop, and the MSB of P constitute the two primary control signals. 
The left shift is performed by loading the output of stage L, into the product register Pj + j of the next stage Lj + 1 . 
The final product is transferred to the output shift register (OSR) and shifted out serially once the multiplication 
is complete. Note that the worst case delay path from the fj register to the OSR is independent of the multiplier 

size. The number of Lj and register stages is equal to the degree of the field, in this case four. 
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Fig. 15. The multiplier for 6F(2 4 ) 



Each stage Lj contains one 3-input modulo, two transmission gates and two NMOS transistors, as 
detailed in Fig. 16. The transmission gates and transistors are configured to perform the AND function (MSB(P) 
AND fj, and bj AND ap. For example, if bj =1 then a, is passed to the adder; otherwise that adder input line is 
grounded (set to 0). 

Implementatinn and testing 

A multiplier for QF(2 B ) was implemented using a combination of static and dynamic logic and 
fabricated in 5 micron CMOS. It was found to be fully functional, capable of operating at speeds up to 7 Mbits/sec 
[28]. As SPICE simulations predicted, the data rate was limited by the speed of the output pad drivers, not the 
worst case delay path on the chip. Optimization of the pad drivers should improve the speed by about 30-40£. 

Each of the eight slices occupied an area of 185 microns by 1459 microns, of which 10$ was 
allocated to test structures. Subsequent chips have been modified to incorporate a more structured design for 
testability approach, the Scan Path technique [29], In addition, the pad drivers and adders were replaced with 
faster versions. The new slice occupies 23!? less area. 



298 



This enhanced 8-blt version was submitted for fabrication In 3 micron CMOS in September 1 986, 
along with a 128-bit multiplier. A 512-bit chip, with a total area (multiplier and I/O pads) of 6912 microns by 
6980 microns, will be submitted at the end of 1986. From these two larger designs it is hoped that more 
information about the performance of the algorithm will be obtained. 




XOR : Exclusive - OR 
MSB : Most Significant Bit 



Fig. 1 6. The circuit for each blxk Li shown in Fig. 1 5. 



5. Conclusion 

RSA architecture A 22-bit, 3um CMOS prototype of an asynchronous RSA chip has been fabricated and found to 
function correctly with a throughput rate of 150kbits/sec. A conservative estimate for the 512 bit encryption 
rate in 2um CMOS is 30kbits/sec with optimization of the present design and 40kbits/sec with algorithm E. The 
asynchronous clock rate during encryption is not I/O limited nor is it limited by the clock rate in other 
components. 

Concurrent modulo multiplication algorithms provide the most efficient implementations known 
for RSA encryption. Multi-adder algorithms such as algorithms D and E are efficiently implemented with the 
asynchronous pulse-timed adder. Minimization of constant circuit delays is important since they several times 
larger than the addition time in a clock period. 

QF( 2 m ) multiplier To evaluate the performance of the finite field multiplication algorithm, an 8-bit prototype 
has been fabricated In 5um CMOS and tested. It was found to operate correctly for data rates up to 7Mbits/sec. A 
new 8-bit version with faster adders and pad drivers, and a more structured approach to testing is currently being 
fabricated in 3um CMOS along with a 1 28-bit multiplier. A 5 1 2-bit chip will be implemented at the end of 1 986 
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and should provide some useful information about large VLSI multipliers. 

6. Appendix A: Calculation of the RSA throughput rate with algorithm D 

Constant on-chip communication delays in Sum CMOS: 
Non-overlap time = 2x1 Ons (if adjustable) 

Signal flow after addition: drive carryout line plus signal flow within bit slice - 30ns 
Clock transition time = 2x 1 Ons (crossing threshold only) 

phi2: control generation ( i 5ns) plus driving of control lines plus • signal flow within bit slice = 50ns 
Total = 120ns 

1 clock period in a 5um process = TD5 = (Nc +L)Tp + 120ns = 201.2ns 

where Nc = average number of carries for an average of 2.5 adders of 500 bits each = 9.6 

L = No. of slices separating pulse subsystems of adders = 2 
and Tp = carry propagation speed in a 5um process = 7ns/siice 

1 clock period in a 2um process = TD2 = TD5«(2/5) 2 = 32.2ns 

RSA transform execution time = Texe = (the number of modulo multiplicationsX the number of periods 

per multiplication )( the length of a period) 
Texe = ( 1.5»K)«(K+2)»TD2 = .01 27 sec 

where K = number of bits in exponent and modulus = 512 

Bit rate = K/Texe = 40 kbits/sec 
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Architectures for exponentiation in GF(2") 

T.Beth*, B.M.Cook", D.Gollmann* 



Abstract. 

We investigate different data structures in GF(2 n ) and their 
correspondence to silicon architectures to examine possible hardware 
implementations of the Diffie-Hellman key exchange system. 

1 .Introduction. 

We want to analyse possible MOS implementations of the Diffie-Hellman 
key exchange system. This system is based on exponentiation in GF(2 n ). 
Exponentiation will be performed using a square and multiply algorithm. In 
this paper we will point out how different algebraic structures in the 
representation of GF(2 n ) give rise to different architectures for the MOS 
implementation of this algorithm. We will use examples to demonstrate 
the relative merits of the different architectures while giving only 
references for their mathematical foundations. (A survey of the 
mathematical background is given in [1]). 
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2. Multiplication. 

2.1 .Polynomial basis multiplier 

This architecture is based on the standard way of representing elements in 
GF(2 n ) by polynomials. Multiplication is performed by convolution and 
reduction modulo an irreducible polynomial p(x) of degree n (see e.g. 
[2], [3]). Fig .1 gives a serial input architecture for a polynomial basis 
multiplier. 
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Fig.1 . A polynomial basis multiplier for GF(2 5 ) using p(x)=x 5 +x 2 +1 . 



2.2. Normal basis multiplier (Massev-Omura) 

In a normal basis representation squaring is a single shift in a cyclic shift 
register. A multiplication algorithm can be found e.g. in [4]. Fig. 2 gives a 
parallel input architecture for a normal basis multiplier ([4]), Fig. 3 a 
serial input architecture ([5]). 
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Fig. 2. A parallel input normal basis multiplier for GF(2 5 ) using 
p(x)=x 5 +x 4 +x 2 +x+1 
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Fig. 3. A serial input normal basis multiplier for GF(2 5 ) using 
p(x)=x 5 +x 4 +x 2 +x+1 
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2.3. Dual basis multiplier . 

Dual basis multipliers for multiplication with a constant were introduced 
in [6]. A general dual basis multiplier is discussed in [5], in this algorithm 
one of the factors and the result are represented in the dual basis and the 
other factor in the polynomial basis. Fig. 4 and Fig. 5 give architectures for 
a parallel input and a serial input dual basis multiplier. 
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Fig.4. A parallel input dual basis multiplier for GF(2 5 ) using p(x)=x 5 +x 2 +1 . 
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Fig. 5. A serial input dual basis multiplier for GF(2 5 ) using p(x)=x 5 +x 2 +1 
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2.4. Evaluation and comparison. 

The proposed polynomial basis multiplier performs a multiplication in n 
steps. The area required grows linearily in n. The architecture does not use 
straightforward shift registers. This disadvantage for standard hardware 
implementations had been a reason to look for new architectures. Normal 
basis and dual basis multipliers can be built from standard shift registers 
(Fig. 2 and Fig.4). Both perform a multiplication in n steps. In the parallel 
input designs there is an additional delay to the XOR-tree. It may be noted 
that the serial input designs avoid the XOR-tree and use 'non-standard' 
reduction registers similar to the polynomial basis multiplier. 
The size of a normal basis multiplier is mainly determined by the size of 
the PLA. In general it requires 0(n 2 ) AND-gates [4]. In MOS implementations 
additional problems occur due to the number of crossing wires in the PLA. 
The regular PLA of the dual basis multiplier is more convenient for MOS 
implementations. In the parallel input design area requirement however is 
not linear in n when we consider the wiring to the XOR-tree. 
We have already pointed out that the serial input design is not too 
different from the polynomial basis multiplier. In a full custom MOS 
design it is always possible to define basic cells and bit slices tailored 
towards a given architecture. In such an environment the above argument 
against the polynomial basis multiplier is no longer valid. We conclude 
that the polynomial basis architecture is superior to the other 
architectures with regard to a full custom VLSI implementation. 
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3. Squaring. 



The normal basis representation is obviously most appropriate for 
squaring. Squaring in the polynomial basis could be done by a multiplier. 
For a particular choice of the reduction polynomial p(x) we can find a 
special architecture for the squarer. Take an irreducible trinomial 
p(x)=x n +x k +1 , n odd, k even, k<n/2 . Observe for some field element u 

2 i 2 

u = ( E Ujx) = Z 1 + Z 2 + S 2 

i=0 

with 

O-D/2 

V E -x 2 ' , 

1=0 
n-1 

S 2 = 2 u.x 2l '- n , 
i=(n+1)/2 ' 



n-1-k/2 n-1 
s 3= E u. x 2i " n+k + 2 u (x 2i " 2n+k + x 2i " 2n+2k ) 
i = (n + 1)/2 ' i = n-k/2 ' 



Z 1 corresponds to putting coefficients u o , ---< u (n--\)/2 ' int0 tne even 
positions of a register, 

Z 2 corresponds to putting the coefficients u^ n+1 j /2 ,...,u n . 1 into the odd 
positions of this register, 

Z 3 corresponds to shifting the coefficients u^ n + 1 y 2 ,...,u n . 1 by k steps 
before adding them into the register ( again in odd positions). The top 
k/2 coefficients are added into even positions starting from posi- 
tion 0 and starting from position k. 
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Fig. 6 gives the architecture of such a squarer. It computes the square of an 
element u in n+k/2 shifts. With a minor modification of the design this can 
be achieved in (n+k+1)/2 shifts. 
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Fig.6. Squarer for GF(2 5 ) using p(x)=x 5 +x 2 +1 . 
4. Square and multiply. 

Squaring and multiplication can be performed in parallel if square and 
multiply starts at the least significant bit of the exponent ( "right to 
left"). Thus the squarer of Fig.6 can be combined with either the poly- 
nomial basis multiplier or the dual basis multiplier. Fig. 7 gives the 
architecture for the latter case. Note that we do not need an extra register 
to store intermediate results. An exponentiation is performed in n(n+k/2) 
steps. 

(n 2 steps with the modified squarer). If a serial input multiplier is used 
we arrive at a pipeline architecture where we can load the next inputs 
while shifting out the result. 
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If exponentiation starts at the most significant bit of the exponent ( 'left 
to right") multiplication and squaring have to be performed serially. In the 
polynomial basis or dual basis architectures we could use the multiplier 
alternatively for multiplication and squaring. In this case we need an extra 
register for storing the base of the exponentiation. Let m denote the 
number of 1's in the exponent. Both implementations require (n+m)n steps 
for an exponentiation. In a normal basis architecture squaring can be done 
in a single additional step. Thus we need n+mn steps for one 
exponentiation. 
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5. Conclusion. 

Normal basis exponentiators need less steps than polynomial basis or dual 
basis exponentiators though the average number of steps is still of order 
0(n 2 ). They are however not very well suited to VLSI implementations 
especially when area constraints are considered. Dual basis exponentiators 
show an advantage against polynomial basis exponentiators if TTL or 
standard cell technology is employed. If full custom MOS design is 
available the use of polynomial basis exponentiators seems to be the best 
choice .When both area and time requirements are demanding, a bit-slice 
architecture based on principles of Algebraic Algorithm Engineering shows 
an improved behaviour, particularly as unusual geometric configurations 
can be generated. 
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ABSTRACT 

A description of the techniques employed at Oxford University to 
obtain a high speed implementation of the RSA encryption algorithm on 
an "off-the-shelf" digital signal processing chip. Using these 
techniques a two and a half second (average) encrypt time (for 512 bit 
exponent and modulus) was achieved on a first generation DSP (The 
Texas Instruments TMS 32010) and times below one second are achievable 
on second generation parts. Furthermore the techniques of algorithm 
development employed lead to a provably correct implementation. 

WHY DSP? 

At the time we started work we considered several implementation 
options : 

1. The first and most available option was an eight bit micro- 
processor - best estimates of 512 bits in 4 minutes (ie. 2 bits per 
second) did not seem very promising. 

2 . A 16 bit micro-processor - might make it in 50 seconds - but that's 
still too slow. 

3. Discrete logic - was going to be extremely complex and messy. 

4. A bit slice system would be very expensive to develop and 
implement. 

5. And although a custom/semi-custom chip would be cheap to 
manufacture, it would be expensive to develop and would be too 
inflexible to allow commitment to the high volumes necessary to 
make this approach economically viable. 
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One thing we did know about implementing the RSA algorithm is that it 
involved lots of multiplication and so we decided to see if we could 
utilise a dedicated hardware multiplier/accumulator or MAC. 

6. A MAC taking 100 ns for a 16 x 16 multiply was available and looked 
very promising. However, we quickly realised that we needed some 
fairly specialised hardware to drive it and feed it with data. 
Certainly no ordinary micro-processor would be able to keep up with 
the MAC ' s performance . 

Just as we were beginning to despair the answer came to us courtesy of 
Texas Instruments who announced a new type of chip : the Digital 
Signal Processor or DSP. 



DIAGRAM ONE - DSP ARCHITECTURE 
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7. The DSP - is a MAC and a fast microprocessor on a single chip which 

seemed to be the ideal combination The first one available 

was the TMS3 20 which has a 200ns cycle time for most instructions 
including multiply. Our early performance estimates suggested that 
with this chip five seconds for a 512 bit exponentiation should be 
fairly easily achievable. 

THE IMPLEMENTATION 

Having decided to use a DSP we have to develop a program for it. The 
first problem is that there are no suitable DSP compilers available 
and, although we might expect to eventually have to tune the assembler 
code to take full advantage of the DSP architecture and optimise 
performance, assembler is no good as a design language. Furthermore, 
our choice of implementation technique must take into consideration 
the nature of the application and in particular the requirement for 
integrity. With this in mind we chose to use the program development 
and validation techniques expounded by Prof. David Gries of Cornell 
University. The notation used is a combination of predicate logic and 
the "guarded command" form of computation guru Edsger Dijkstra. 

THE ALGORITHM 

In our notation the RSA algorithm can be specified in terms of pre- 
and post- conditions thus: 

spec fastexp.O (in: A,E,M; out: c); 

{ pre: 0<A<M&0<E} 

{ post: c = A E mod M } 

endspec 

Where the pre conditions require that: the input data A is in the 
range 0 to M, the modulus minus one and the exponent E is positive; 
and post: the output data c equals A to the power E modulo M. 

The basic algorithm we will work with to satisfy these conditions is 
Knuth's 'square and multiply' exponentiation method with modulo 
reduction incorporated. Thus: 

proc fastexp.l (in: A , E , M ; out : c); 
{ pre: 0<A<M&0<E} 
a, e, c : = A , E , 1 ; 
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{ inv: c * a e mod M = A E mod M } 
{ bound: t = 2 * log 2 e + 1 } 
do e #0 & e mod 2 = 0 -» 

e,a := e div 2, a * a mod M 

^ e mod 2 ^0 -» 

e,c := e-1, c * a mod M pd 

{ post: c = A E mod M } 

endproc 

Notice that after initialisation of the variables the executable 
portion of this fastexp has been reduced to a single loop command 
albeit with two branches. Writing the algorithm in this very concise 
form which may not at first seem natural, allows us to prove its 
correctness more easily at a later stage. 

Obviously this basic algorithm will need to be written in a 
substantially different form before our target DSP can execute it and 
in order to arrive at an assembler code version we go through a 
process of step-wise refinement. At each step of refinement the 
algorithm is re-written in a form which can be proven to be equivalent 
to its predecessor. In the case of our RSA algorithm most of the 
refinement is necessary in order to be able to represent and operate 
on the several hundred bit long integers within the constraints of a 
16 bit architecture; the implementation of conditions, loops and other 
program constraints being fairly straightforward on the micro- 
processor-like DSP. 

In order to keep our top level program simple and well structured we 
introduce two procedures (subroutines) which we call 'longmult' and 
'longmod' to handle respectively the long integer multiplication and 
modulo reduction. 

Here is the specification of these procedures, once again using the 
pre/post condition form: 

spec longmult. 0 (in: u,v; out : w) ; 
{ pre: 0 < u,v < b n } 
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{ post: w = u * v } 
endspec 

spec longmod.O (in: w,m; out : v) ; 
{ pre: 0 < w < m 2 } 
{ post: v = w mod m } 

endspec 



THE HEART OF THE ALGORITHM 

These two procedures really are the heart of the algorithm; and the 
key to performance is going to be their design. First let us consider 
what algorithm to use for long multiplication. The problem we have is 
similar to one we learned to solve at school. There we knew, from a 
memorised table, how to multiply up to 12 times 12 but faced with a 
larger multiplication (and assuming that we all went to school before 
the advent of the pocket calculator) we used a paper and pencil 
algorithm which went something like this (referring to diagram two): 6 
times 2 is 12, 2 down carry 1, 2 times 2 is 4 plus one is 5 and so on 
repeating for each row, shifting one column left each time and 
finishing with a final addition sum. This is a fairly convenient 
method of hand calculation but how efficient is it? 

Taking the general case of an n by n digit multiply - for each row we 
have to do n multiplications, 2n fetches, n + 1 stores and, n carry 
and add operations . Plus the final additions which require n 2 fetches 
and adds plus carries etc. Assuming all perations are equivalent to 
execute that makes in the order of 6n 2 instructions. 

Let's try it another way using the same principle but working in 
columns not rows and saving all the carries till we sum each column. 
DIAGRAM TWO - LONG MULTIPLICATION AT SCHOOL 
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DIAGRAM THREE - ALTERNATIVE LONG MULTIPLICATION 
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Referring to diagram 3: here 6 times 2 is 12, 2 down 1 to carry, 2 
times 2 is 4, 6 times 3 is 18, 18 plus 4 is 22 plus 1 is 23, 3 down 2 
to carry and so on for the other columns . This time we have the same 
number of multiplies and adds but have saved a set of fetches and 
carries leaving an order of 4n^ instructions, ie a saving of 33% over 
the previous method. A further 50% saving can be obtained at 
implementation by taking advantage of a feature of the TMS320 DSP 
which allows auto increment and decrement of data pointers during 
multiply and accumulate operations - this effectively gives us the 
data fetching for free. Using this feature the core of our multiply 
program is as shown in diagram four. 

In the DSP we have two auxiliary registers ARO and AR1 which we use as 
data pointers and a T register which contains the multiplicand for any 
multiplication instructions. 

The MPY * star instruction multiplies the contents of the T- 
register by the data pointed to by the current auxiliary register. 
The LTA * star instruction loads the T register (with new data 
pointed to by the current auxiliary register) and adds the result of 
the previous multiply into the accumulator. 

DIAGRAM FOUR - MULTIPLICATION PROGRAM CORE 

MPY * +, 1 
LTA * -, 0 
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MPY * +, 1 

LTA * -, 0 

MPY * +, 1 

LTA * -, 0 

MPY * +, 1 



The + and - respectively increment and decrement the current auxiliary 
register and the 0 or 1 at the end selects a new auxiliary register as 
current for the next instruction. Both arguments for each successive 
multiply can thus be changed for no overhead while we multiply and 
add; which is what we need for the column based multiplication 
procedure just described. 

With this method we do have to ensure that we don't overflow the 
accumulator before the end of a column. However, it is a fairly 
simple calculation to work out the optimum word length to satisfy this 
condition. 

In practice we are prevented from using 16 bit words (on the early 
DSP's anyway) because they take all data as being in two's compliment 
form. Some of the more recent DSP's do help out by providing 40 bit 
accumulators and unsigned arithmetic. 

MODULO REDUCTION 

Next let's consider the modulo reduction operation. We have an 
intermediate value (say W) which is the result of a long multiply 
calculation and we want to find the remainder when W is divided by the 
modulus M. That is we want: 

X = W mod M = W - M * (W div M) 

where 'div' is normal integer division. 

Division on a DSP is hard (that is to say expensive in time) but given 
that throughout any single exponentiation we will always be using the 
same modulus and that we have available easy or 'cheap' 
multiplication, we can calculate (once only for each M) R equals the 
reciprocal of M and subsequently obtain our result, X, by two 
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multiplications and a subtraction: 

X=w-M* (w * R) 

The problem is that R in this case is a real number considerably 
smaller than one. 

Thus, if we are to use this method we need to approximate and scale R. 
That is multiply R by some power of 2 and round off in order to 
represent R as an integer. 

The trade off in this is fairly clear - the more accurately we 
represent R (and other intermediate values) the longer it will take to 
do the multiplications, the less accurately the greater the error we 
will have to correct at the end. 

The mathematics of this trade-off are more complex than it would at 
first appear so I will just assume the results that we proved in our 
paper at Oxford. 

LONGMOD PROCEDURE (refer to Diagram Five) 

If M is represented as n base b digits (and therefore W is 2n base b 
digits) then R should be represented as the integer 

R : = b 2n div M 

Note that R here will have n + 1 digits as a result of the second 
precondition defining the range of M. 

Next we multiply the most significant n + 1 digits of W by R and then 
multiply the n most significant digits of this result by M and 
subtracting the n + 1 least significant digits of this from the 
corresponding part of W. Our calculations show that the result x so 
obtained will always be in the range 0 to 3M - 1. In other words at 
most two further subtractions of M are required to give us the result 
we are looking for . 

It is possible to show that for about 90% of the values of W and M, 
the initial value of X obtained will be less than M and that only in 
1% of cases will X exceed 2M and thus require two correcting 
subtractions . 
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DIAGRAM FIVE - LONGMOD 

proc longmod.l (in: w, m; out : x) ; 

{ pre: 0 < w < m 2 & b n_1 <m<b n &3<b} 

r := b 2n div m ; 

y := w div 2 n_1 * r ; 

x := w mod b n+1 - m * y div b n+1 ; 

{ 0 < x < 3m } 

do x > m -» x := x - m od 

{ x = w mod m } 
endproc 



It can be seen from all this that for large n this modulo reduction 
method takes about the same time to execute as two long 
multiplications. Actually we can do almost twice as well as this by 
only calculating half the product in each long multiplication since 
the other half of each product is not required. 

Thus, apart from the small overhead of calculating the reciprocal R 
(which could of course be done in advance and stored with its 
corresponding M as part of the RSA key) the modulo calculation is not 
much slower than the long multiplication. 

FASTKXP CONTINUED 

Returning now to the top level Fastexp algorithm. If we represent the 
exponent E as a sequence of n base b digits where b = 2^ then our next 
requirement of the algorithm will require two nested loops to take 
care of respectively the digits and bits of E. Skipping a couple of 
refinement steps, our fastexp procedure is as shown in Diagram six, 

DIAGRAM SIX - PROC FASTEXP. 4 

proc fastexp. 4 (in: A E M; out : c ) ; 
{ pre: 0<A<M&0<E} 
(e n _3_ ... e 0 ) b := E; 
a,C,i := A, 1,0; 
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do (e^ ... ei ) b = 0 -> 

(ei f-l • • • ei 0 > 2 : = ei ; 
j := 0; 
do j < f -> 

if eij = 0 -> skip 

H eij = 0 -» c :=c*a mod M 

fi; 

a := a * a mod M; 
j := j + 1 od; 
i := i + 1 od 
{ post: c = A E mod M } 
endproc 



which with a few further refinements, including insertion of our 
subroutines longmult and longmod and globalisation of the data 
(to save on parameter passing), can be translated almost directly into 
the TMS320 assembler code listed in Diagram seven. Notice how simple 
the program appears . 

DIAGRAM SEVEN - PROC FASTEXP.7 



* 


proc 


* 




EXP 






LAR 




MAR 




LACK 




ADDS 




ADDS 


* 




L00P1 


SUBS 




TBLW 




BANZ 


ENDLl 






TBLW 




ZAC 




SACL 



f astexp. 7 ( var A,E,M,R,C) 



LARP 1 
AR1 , N 
*_ 

CO 

DATAO 
N 

ONE 

ZERO 

LOOP1 

ONE 

I 



use AR1 as a counter 
to initialize C 
AR1 := N-l 

CO is XRAM relative address of C 0 
DATAO is XRAM data page address 
ACC is pointer to C^i 



decrement ACC 

» ■ — 1 — 

-N-l 



0' 



repeat LOOP! while AR1>0 and dec AR1 



"C f 



:= 1' 
= 0" 
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LOOP 2 



LOOP 3 



LSB1 



LSBO 



ENDL3 



ENDL2 



LACK 


EO 


ADDS 


DATAO 


ADDS 


I 


TBLR 


EI 


LACK 


F 


SUBS 


ONE 


SACL 


J 


ZALS 


EI 


AND 


ONE 


BZ 


LSBO 




LACK CO 


ADDS 


DATAO 


SACL 


X 


CALL 


LONMUL 


CALL 


LONMOD 




LACK AO 


ADDS 


DATAO 


SACL 


X 


CALL 


LONMUL 


CALL 


LONMOD 


LAC 


EI, 15 


SACH 


EI 


ZALS 


J 


SUBS 


ONE 


SACL 


J 


BGEZ 


LOOP 3 


ZALS 


I 


ADDS 


ONE 


SACL 


I 


SUBS 


NE 


BLZ 


LOOP 2 



EO is XRAM relative address of Eq 



"EI := Ei" 



f-1' 



"ACC := EIq" 

"if ACC = 0 -» skip" (to LSBO) 
"if ACC = 1 



X := address of C 
"call longmult ( C ) 
"call longmod(C)" 
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X := address of Ag 
"call longmult (A)" 
"call longmod(A)" 



"EI := EI div 2" 



"j := j-1" 

"repeat LOOP3 while j>0" 



"i := i+1" 

"repeat LOOP2 while i<n e " 



endproc 



There are only 43 machine code instructions required apart from the 
multiplcation and modulo procedures. 

This simplicity is, another direct benefit of the rigourous 
development methodology employed. 

PERFORMANCE AND SECOND GENERATION DSP'S 



This implementation of ' fastexp' takes on average (that is with an 
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exponent composed of half O's and half l's) 2.6 seconds to execute 
with 512 bit modulus and exponent on a Texas Instruments TMS3 2010 
running at its maximum clock rate of 20 MHz. The 32010 (originally 
just called the TMS320) was the first general purpose DSP on the 
market but second generation DSP's are appearing now from most 
manufacturers and speed calculations using our algorithm suggest that 
times below 1 second will be possible on the TMS320C25 and below one 
quarter of a second on the Motorola DSP56200 which has a 24 x 24 
multiplier and 56 bit accumulator. 

The third (or is it fifth?) generation DSP from Initios (the IMSA 100) 
which is part of the Transputer family, has on board no less than 32 
16 x 16 multiplier/accumulators and should prove to be the fastest yet 
once we have refined our algorithm into the OCCAM parallel processing 
language which is executed directly by the transputer hardware. 

CUSTOM CHIPS 

Finally, I know that I started this presentation by stating that we 
decided against a custom silicon RSA implementation on the grounds of 
development cost and inflexibility, but a number of developments have 
taken place since we originally came to that conclusion. Most 
importantly the advent of silicon compilers and low volume custom 
silicon processes has reduced the turnaround time and development cost 
to a point where manufacture of a few hundred chips is a viable 
proposition. Furthermore, the increase in demand for fast RSA 
solutions plus the ultimate unit cost and performance advantages has 
led Computer Security Limited' s sister company, RAANND Systems Ltd, to 
develop a custom RSA chip. Dr Gordon Rankine, the Managing Director 
of RAANND and the architect of this RSA chip, code named Thomas, has 
documented his presentation of this design elsewhere in the 
proceedings . 
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Abstract 

Manipulation Detection Codes (MDC) are defined as a class of checksum algorithms which can 
detect both accidental and malicious modifications of an electronic message or document. 
Although the MDC result must be protected by encryption to prevent an attacker from 
succeeding in substituting his own Manipulation Detection Code (MDC) along with the modified 
text, MDC algorithms do not require the use of secret information such as a cryptographic key. 
Such techniques are therefore highly useful in allowing encryption and message authentication to 
be implemented in different protocol layers in a communication system without key management 
difficulties, as well as in implementing digital signature schemes. It is shown that cryptographic 
checksums that are intended to detect fraudulant messages should be on the order of 128 bits in 
length, and the ANSI X9.9-1986 Message Authentication Standard is criticized on that basis. A 
revised 128-bit MDC algorithm is presented which overcomes the so-called Triple Birthday 
Attack introduced by Coppersmith. A fast, efficient implementation is discussed which makes 
use of the Intel 8087/80287 Numeric Data Processor coprocessor chip for the IBM PC/XT/AT 
and similar microcomputers. 

Key words: Manipulation Detection Code (MDC), Message Authentication Code (MAC), 
checksums, birthday problem attacks, authentication, encryption, digital signature, cryptography, 
numeric data processor chip, math coprocessor chip, 8087, 80287, IBM PC. 
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1 Introduction 

A common theme throughout a series of papers 1,2,3 by the author and his colleagues, Dr. S. M. 
Matyas and Dr. C. H. Meyer of IBM, has been the desirability of separating the function of 
encryption from that of authentication, so that they could operate at different architectural 
layers or levels in an communications system. In the context of the ISO Open System 
Interconnect reference model, for example, it was suggested that link encryption might be 
applied to all of the communications from a host, using a stand-alone link encryption device 
operating at ISO OSI layer 1, the data link layer. In this case the appropriate place for 
authentication would probably be in the Presentation or Application layers (layer 6 or 7), 
implemented in an application program inside the host. We have also suggested that since the 
mode of encryption might change depending on the physical medium involved, it would be 
desirable if the method of authentication were independent of the encryption scheme used. 

The recently announced decision of the National Security Agency not to endorse new DES 
equipment for certification in accordance with Federal Standard 1027 after 1988, and in general 
to move on to a new family of encryption algorithms for both Unclassified, National-Security 
Related traffic as well as classified data, should serve to underscore the advisability of such a 
separation of function, as it will result in an increased requirement for "keyless" Manipulation 
Detection Code algorithms. Until the new Commercial COMSEC Endorsement Program (CCEP) 
algorithms are widely available (and perhaps for an even longer period, in the case of 
international circuits which may have to continue running DES), application programs might be 
supported by two or even three different link encryption algorithms (DES, an unclassified CCEP 
Type 2 algorithm, and a classified CCEP Type 1 algorithm, depending on the destination), but 
should require only one authentication algorithm. It should be observed that there is a 
fundamental difference between encryption and authentication with respect to the need to 
change algorithms, for in the case of encryption it is very difficult to know whether your traffic 
is being broken surreptitiously. In the case of authentication, however, it usually becomes 
obvious sooner or later if you have been spoofed. The objective is to minimize the amount of 
time required to detect the spoofing. It would therefore seem that authentication algorithms 
would not have to be changed nearly as often as encryption algorithms, and that there is perhaps 
less need for secrecy in their design. 

In the papers presented to date, our primary concern was to find an authentication algorithm 
that would be more efficient than a MAC (especially when implemented in software on a 
microprocessor), and/or would not require a traditional encryption operation. Only secondarily 
did we focus on what this author now believes to be the fundamental distinction between an 
MDC and a MAC, i.e., that whereas a MAC involves one or more secret keys, an MDC makes use 



X. Jueneman, Robert ft., "Analysis of Certain Aspects of Output Feedback Mode", Advances in Cryptology: Proceedings of 
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2. Jueneman, R. R., C. H. Meyer, and S. M. Matyas, "Message Authentication With Manipulation Detection Codes", Proceedings of 
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of only publicly known quantities, and is therefore considerably more convenient from the 
standpoint of key management. 

1.1 Cryptographic Checksum Requirements 

Let us assume that we wish to apply a cryptographic seal to some electronic message or 
document, and that we will either use a digital signature approach, or else use link or end-to-end 
encryption to protect the MDC result. We must assure that the set of all checksums is very 
nearly one to one with respect to the set of all message texts, so that we can easily check the 
checksum (for example in the digital signature) instead of having to process the entire text. 
That is, given two messages A and B with checksums, we desire that checksum (A) and checksum 
(B) be identical if and only if the messages A and B are themselves identical. Assuming a good 
checksum algorithm, the chances that A and B are not identical given that checksum (A) equals 
checksum (B) should be 2~ k , where k is the number of bits in the checksum and the probabilities 
are averaged over all possible messages. 

More specifically, the algorithm should have the following properties: 

1. If two different texts (of arbitrary length) are checksummed, the probability that the two 
checksums will be the same when the two documents are not identical should be a 
uniformly distributed random variable that is independent of the text, with an average 
value over all possible texts of 2~ N where N is the number of bits in the checksum. 

2. The checksum must be sensitive to permutations, so that the message ABC will produce a 
different value than ACB, etc. 

3. As will be seen, the resulting checksum must be on the order of 128 bits in length, in 
order to resist a so-called "birthday attack" against the text itself. 

4. Finally, all of the bits of the checksum must be an over-determined function of all of the 
bits of the text and all of the bits of the checksum of the previous block, in order to 
defeat several attacks that will be discussed below. 

In addition, in a number of applications it is necessary to add a random Initialization Vector to 
the text itself, and to chain the blocks of messages together by including the checksum of the 
previous block in the checksum of the current block, so that one properly authenticated value 
cannot be substituted for another in a playback attack. For example, if a particular dialog 
occurs frequently, and the answer to some question is either "Yes" or "No", without the 
appropriate chaining the attacker could easily substitute the entire contents of a previous 
message, together with its valid checksum, and the message would be accepted. A 64-bit random 
Initialization Vector will suffice to initialize the authentication, but message chaining may still 
be required. It should be noted that an Initialization Vector may also be necessary to ensure that 
the same text is encrypted differently each time it is transmitted, in order to prevent a so-called 
dictionary attack. In general it appears that the same Initialization Vector (sometimes called a 
Message Indicator) could be used for both purposes, but it would be necessary to carefully 
examine both the encryption and the authentication scheme before making a blanket statement. 
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Finally, we must point out that although a DES-based Message Authentication Code or MAC 
could be used to authenticate either an encrypted or unencrypted text without further encryption 
because it makes use of a secret key 4 , that is not true of a Manipulation Detection Code. 
Although the text itself does not need to be encrypted, the MDC must be, so that the attacker 
cannot substitute his own MDC with any significant probability of success. In most cases, the 
MDC can simply be appended to the message, and if the entire message is encrypted together 
with the MDC, that will provide adequate protection. If the MDC is easier to calculate than an 
MAC, then if the message would be encrypted for secrecy in any case the MDC technique would 
be more efficient than a MAC. 

2 Attacks Against Checksum Techniques 

In the three previous papers in this series, we have addressed different aspects of the problem of 
authenticating the contents of a message against possible modification or corruption. In the 
first, a flaw in a draft of a federal standard regarding Manipulation Detection Codes was 
pointed out briefly, and a quadratic residue technique suggested as an alternative form of 
checksum. That paper also pointed out the need for two independent keys for encryption and 
authentication if a Message Authentication Code (MAC) 5 is generated through the use of a secret 
(DES) key and appended to the message, for it was shown that the errors introduced in the 
plaintext by an error or by manipulation were exactly the errors needed to cause the MAC to be 
erroneously computed so as to validate the manipulated text. 

The second paper presented an extensive analysis of various forms of Manipulation Detection 
Codes, including block XOR and linear addition techniques, when used in combination with 
Cipher Block Chaining, Cipher Feedback, and Output Feedback modes. That paper also 
discussed the architectural advantages of a Manipulation Detection Code that was independent 
of an encryption algorithm, particularly in those cases where low-level link encryption may be 
used to protect the traffic flowing into or out of a main-frame host processor, yet it is desired 
for an application program in the host to verify the authenticity of the messages received. In 
addition, the potential speed advantages of an MDC technique compared to the calculation of a 
MAC were discussed. 

During the course of writing that paper and reviewing it with our peers, a number of attack 
scenarios were identified that must be considered whenever new schemes are proposed. In 
particular, Dr. Don Coppersmith introduced several attacks which he called under-determined 
knapsack attacks. These have also been called "birthday" attacks, because they generally involve 
generating random variations in the text and calculating a MAC or an MDC, then working 



4. This is not recommended, however, because an unencrypted MAC reveals something about the message itself, and may form the 
basis for a dictionary attack. 

5. As defined in Federal Information Processing Standard FIPS PUB 46, "DES Modes of Operation" published by the National 
Bureau of Standards, "A MAC may be generated using either the CFB (Cipher Feedback] or CBC [Cipher Block Chaining] mode. 
In CFB authentication, a menage is encrypted in the normal CFB manner except that the cipher text is discarded. After 
encrypting the final K bits of data and feeding the resulting cipher text back into the DES input block, the device is operated one 
more time and the most significant M bits of the resulting DES output block are used as the MAC, where M is the number of bits 
in the MAC. In CBC authentication, a message is encrypted in the normal CBC manner but the cipher text is discarded. 
Messages which terminate in partial data blocks must be padded on the right (LSB) with seros. In CBC authentication, the most 
significant M bits of the final output block are used as the MAC." 
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forward and backward until two matching MACs or MDCs are found. Making random variations 
in the text in two places and then sorting and comparing the results for a match allows the 
attacker to take advantage of the so-called Birthday Problem in statistics to reduce the work 
required to approximately the square root of the effort required to match a particular given 
MAC or MDC. 

2.1 The Fundamental Birthday Attack. 

The third paper abstracted the second for a more general audience, but also added some new 
information. In particular, it was recognized that any Manipulation Detection Code (MDC) or 
Message Authentication Code (MAC) is susceptible to a birthday attack against the text itself, 
unless the MDC or MAC is on the order of 128 bits in length. This fundamental attack proceeds 
as follows, and assumes that one user is attempting to defraud another by devising a version of a 
bogus or unfavorable contract or agreement which would have an identical checksum as would 
an acceptable version of a legitimate one, having the other party digitally "sign" the legitimate 
version, and then produce the bogus version in front of a judge and claim that the other party 
has defaulted on his obligations: 

1. Assume that a 64-bit MAC or MDC is used, and that if necessary the attacker can exercise 
the authentication system ad infinitum to generate a MAC or an MDC, even if a secret key 
which he does not know is used in the case of the MAC. 

2. The attacker secretly prepares a number of subtle variations of the legitimate text in 
advance, and calculates (or has the system calculate) the MDC or MAC for each one. In 
the case of an electronic mail message or document, for example, suppose that a number 
of lines contain the ASCII character sequence "space-space-backspace" 6 between selected 
words. The attacker might prepare a set of variations of that document in which the 
sequence in selected lines would be "space-backspace-space". The length of the text would 
not be altered thereby, and all of the variations of the document would appear to be 
identical, both when printed and when displayed on the normal video display, unless 
"dumped" in hexadecimal format. Other, more consequential changes to the text could also 
be made, of course. By systematically altering or not altering the text in each of say 32 
different lines, 2 s5 or 4.3 billion variations could be generated. A file of records 
consisting of the MAC or MDC plus a 32-bit permutation index could be used to 
summarize what lines were altered by a given variation, and what MAC or MDC resulted. 

3. The attacker then prepares an equally large number of variations on the bogus text he 
would like to substitute for the legitimate text, and calculates (or has the system calculate) 
the MDC or MAC for each one of those variations as well, producing another file of 
MAC/MDC results plus the permutation index records. 

4. The attacker then compares the two files, searching for a pair of identical MACs or MDCs 
and noting the permutation indices. (If no match is found, the attacker can simply 
generate a few more random variations of the legitimate and the bogus texts until a match 



6. Other combinations, such as null-character, or carriage return - line feed would also work, as well as less subtle variations such as 
changing "the" to "an", or inserting or deleting commas or spaces in a numeric fieid. 
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is found.) He then recreates the full text of both the acceptable and the unacceptable 
documents with the specific modifications necessary to produce the matching MACs or 
MDCs, based on the permutation indices. 

5. Finally, he offers the appropriate variation of the legitimate contract to the other party 
and both "sign" it. At some time in the future the attacker substitutes the unfavorable < 
contract, and tells the judge that the digital signature containing the MAC/MDC "proves" 
it was that version that was signed by both parties. 

This is Yuval's 7 classic "How to Swindle Rabin" form of a so-called "Birthday Problem" attack. 

According to the famous birthday paradox 8 problem in statistics, this kind of an attack is likely 
to succeed if the number of variations of each document that are generated and compared 
approaches the square root of the total number of possible MAC/MDC values. That is, if a 32- 
bit checksum were used, the probability of a successful attack would be about 50% after only 2 16 
or 65536 variations were computed, and would increase rapidly after that point. If a 64-bit MAC 
or MDC were used, then the 4.3 billion iterations produced by systematically varying 32 lines of 
text would be likely to suffice. 

In order to see whether this attack would be computationally feasible against a 64-bit MAC, let 
us assume that the variations all occur at the end of the text and that exactly one variation 
occurs in 8 bytes of text, so that only one DES iteration would be required to account for that 
variation. The brute-force way to calculate the resulting MAC for the entire text would be to 
recalculate the last 32 DES blocks for each variation, which would require 2 x 32 x 2 3J DES 
iterations for the two sets of variations of the text. However, by only encrypting those blocks 
that have changed and those for which earlier blocks have changed, the number of DES 
iterations can be reduced to 2 x (2 S! -1). A hardware DES implementation running at 10 
microseconds per iteration could complete the task in just under 2 CPU days. 

However, the amount of I/O required to sort and compare the data must not be neglected. A 64 
bit MAC and a 32 bit permutation index per variation would require 12 bytes per entry times 2 32 
entries, or 51.5 gigabytes per file. At an effective rate of 20 microseconds per variation 
(including encrypting due to the requirement to reencrypt blocks after a change), data would be 
generated at the rate of 4.8 Mbps or 600 kilobytes per second, which is well within the channel 
capacity of a mainframe computer to record. The process of comparing two files consisting of 
340 reels each of 6250 bpi high-density tape (151 megabytes per reel), searching for any one 
value on one file that matches any one value on the other file, would admittedly be a lengthy 
task even for a mainframe computer, but it is not infeasible. One approach would be to presort 
the information by distributing the data across 22 tape drives while the information is being 
generated, producing 22 files of approximately 15 to 16 reels each for each variation. Each of 
those files could in turn be distributed onto 20 reels of tape at maximum tape speed, and then 
those approximately 680 individual reels could be sorted one at a time using a conventional tape 



7. Yuval, G., "How to Swindle Rabin", Cryptologia, Vol 3., No. 3, July 1979, pp 187-190. 

8. How many people must ther% be in a room in order to have a good chance that at least two people in the room will have the same 
birthday. 
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or disk sort routine, and finally compared. Assuming each reel requires 15 minutes to sort, the 
total process could be completed in about a week. 

An interesting alternative technique was suggested by Caron and Silverman's distributed processing approach to factoring 9 . Let us 
assume that the attacker has at least the occasional use of 256 Intel 80386-based microprocessors or similar machines which are 
connected via a high-speed LAN. Each of these slave machines will be assumed to have two boards of 8 megabytes 10 each of the new 
1 megabit memory chips. In addition, a master station will be equipped with a hardware DES implementation, four 8-megabyte 
memory boards, and two 85 megabyte hard disks. 

The total amount of memory in the 256 slave processors would be 4.295 gigabytes, or 2 35 bits. Let us assume that after each 
calculation of a MAC in the first set of variations, the master workstation sends 24 bits (bits 8 through 32) of the MAC to the 
appropriate slave processor based on bits 0 to 7 of the MAC. Each slave processor would then use those 24 bits to address a 
particular bit within its memory, and would turn on that bit. At the end of the first pass through all of the variations of a single 
document (requiring about 24 hours), the contents of the Erst 32 bits of all 2 s2 MACs calculated would be represented as a set of bits 
turned on in all of the memories. Because there are 2 32 bits turned on out of 2 35 bits total, the probability that a particular bit will 
be on after the first pass is 1/8, with many bits having been turned on multiple times within this pass. At the end of the first pass, 
all of the slave processors would dump memory to a hard disk, then sero all of the bit storage area. 

The master processor would then begin processing the second set of variations and would again send 24 bits of the MAC to all of the 
slave processors. This time, however, the slave processors would check to see if that particular bit had already been turned on. If it 
had, it would signal the master CPU, which would record that permutation index. Because the probability of a particular bit being 
turn on in both the first and the second passes is 1/64, a 1 byte increment from the previous permutation index would normally 
suffice and there would be approximately 2 32 /64 or 67,108,859 values to record, so one 85 megabyte hard disk would be sufficient to 
contain one set of permutation indices. 

The master CPU would then repeat the calculations of the first pass in a third pass, again broadcasting 24 bits of the MAC to the 
appropriate slave stations, which would replay whenever a collision was found. The master station would then record the 
permutation indices associated with those collisions on the second 85 megabyte hard disk. 

This entire three pass process would then be repeated, but instead of examining the first 32 bits of the MAC the last 32 bits would be 
used. The fourth pass would initially turn a set of bits based on the first document, and the fifth pass would check for a possible 
collision. However, the master CPU would not have to generate all 2 32 variations, but would only process the variations that were 
previously recorded as potential matches after the second and third passes. Therefore, instead of taking two days for this processing, 
it would only take about 45 minutes. 

During the fifth and sixth passes, the various slave processors would send back acknowledgements as before, and the master station 
would erase any permutation index that did not produce a collision. This time, the probability of a false alarm collision is only 
1/4096, so the expected number of collisions remaining to be processed ib 1,048,576. 

The master station would then make two internal passes over the remaining permutation indices for the two different documents, 
using a hash table lookup scheme to store/search the 64-bit MAC and 32 bit permutation indices. 

2.2 Other Opportunities For Birthday Attacks. 

Similar attacks could potentially succeed against command and control systems, especially if the 
attacker is able to send bogus commands and random variables over a channel that cannot be 
shut down without denying service to the legitimate users as well. An example would be an 
attacker who attempts to take over or disrupt a communications satellite by sending spurious 
commands via the Telemetry, Tracking, and Control channel to the satellite in an attempt to get 



9. Caron, Thomas R. and Robert Silverman, "Parallel Implementation of the Quadratic Sieve", Advances in Computer Science - 
CRYPTO '86 Proceedings, Springer-Verlag, Berlin, 1987. 



10. Sixty-four microprocessors with 64 megabytes of memory would be significantly cheaper, but that would be a very speci; 
system, as opposed to a configuration that might be used for other purposes and could be ■borrowed'' for our purposes. 



334 



it to move out of position, use up all of the maneuvering fuel, go into a spin, etc. There is no 
easy way that the attacker can be located, and if he is operating out of a foreign country there 
may be nothing that can be done to stop his transmissions. The attacker can simply send random 
data, and even if the command link were encrypted there is a possibility that the decrypted 
information might be accepted as a valid command. Unless a sufficiently long checksum is used, 
random data and a random MDC or MAC will eventually result in a random command being 
accepted 11 . 

Another instance could arise in a multilevel-secure system, where a cryptographic "seal" is 
applied to an "object", in order to prevent classified information from being disclosed or 
modified without proper authorization. For example, if the security classification associated 
with the object could be manipulated by a Trojan Horse program, a classified object's label could 
be changed to "unclassified", and the information released. Similarly, the contents of a properly 
marked, unclassified object could be changed and classified information inserted. Because the 
sensitivity label must be very closely associated with the contents of the object (to prevent a 
simple cut-and-paste attack), the security seal of the object typically includes both the sensitivity 
label and the contents of the object as well. In this case, the Trojan Horse program could 
conceivably manipulate the label together with some innocuous portion of the data, and 
repeatedly present the information to the cryptographic seal mechanism until two versions, one 
good and one bad, happened to produce the same cryptographic checksum. The substitution 
would then be prepared. 

2.3 Recommended Length For Cryptographic Checksums. 

Based on these attacks, we conclude that it is essential that any MAC or MDC checksum be on 
the order of 128 bits in length, in order to protect against situations where the opponent could 
systematically change both the text and the MAC/MDC until he finds a combination that works. 

A 128-bit checksum is sufficient, because in addition to the sorting and searching problem 
rapidly becoming insurmountable (after about 80 bits), the 2 65 basic MAC/MDC calculations 
required by the birthday problem attack would not be computationally feasible, even if they 
were to take only 1 nanosecond apiece. It must be stressed that this attack has nothing to do 
with the cryptographic strength of the MAC or MDC algorithm, or whether conventional keys, 
public keys, or no keys at all are used, but only whether the length of the result is sufficient to 
withstand any computationally feasible number of random "birthday attack" trials. 

In this connection, it is worth observing that the recently revised ANSI X9.9-1986 authentication 
standard 12 specifies the use of a 32-bit MAC, although the future use of a 48-bit or 64-bit MAC 
is also discussed. In analyzing the protection afforded by that standard, we should consider both 
external attacks and internal fraud. With respect to an external threat in this environment, a 32- 
bit MAC is arguably sufficient. Even though an attack against such a system would be likely to 



11. Actually, satellite command processor* typically echo the command received back to the ground, and then require an "Execute" 
command within a certain period to make the received command take effect. Assuming that the Execute command is also 
encrypted and authenticated it is much less likely that this particular attack would succeed, but the point is clear. 

13. Financial Institution Message Authentication (Wholesale) X9. 9-1986 (Approved August IS, 1986), published by the X9 
Secretariat, American Bankers Association, 1120 Connecticut Avenue, Washington, D.C. 20036. 
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succeed after only 65 thousand attempts, hopefully all of the false MACs should generate some 
alarm, and the investigative agencies would be called in to stop the perpetrator before he (or 
she!) was successful. 

With respect to a possible internal threat or Trojan Horse program, however, it is obvious that if 
the security of the system were to rest solely on the authentication provided by the MAC, then a 
32-bit MAC is grossly inadequate. It should be apparent from the preceding discussion that even 
a 64-bit MAC would provide inadequate protection from a member bank or insider who might 
attempt to defraud another institution, if that were the only mechanism used to protect against 
such attacks. In the banking environment, of course, there are all sorts of reconciliation 
processes that would presumably uncover such attempts at fraud sooner or later, but in other 
environments this might not be the case. System developers are therefore cautioned not to apply 
the X9.9-1986 authentication standard outside of the specific wholesale banking environment for which 
it was developed. 

2.4 The Need For Super-Authentication. 

It should be noted that if an MDC technique were used to authenticate a message that is 
protected by Output Feedback (OFB) mode (or worse yet, not protected at all), the opponent 
could easily calculate a valid MDC to go with the modified text, and append the new MDC to 
the text at will, since there is no separate cryptographic key used to protect the authentication 
information. Even though the attacker doesn't know the key used to encrypt the message, if we 
assume that he does know the plaintext (perhaps because he generated it) he can determine the 
keystream output from OFB by XORing it with the plaintext, and can then change the 
keystream to suit his purposes. This particular attack can be defeated by having the system 
introduce a secret, varying, random component which the opponent doesn't know (an 
Initialization Vector) into every message, and including that random value in the MDC 
calculation. The Initialization Vector is not a key, since it doesn't have to be known in advance 
by either party. It doesn't even have to be deterministic, and it can be discarded by the receiver 
after the MDC is checked. However, the random value should be at least 64 bits long, so that the 
attacker cannot discover its value and then the true value of the MDC and therefore the 
corresponding bits of the key stream by exhaustively trying all possible values of the initial 
random component. 

With this in mind, let us reconsider the delayed transmission OFB attack that was discussed in 
the second and third papers. That attack made use of a lengthy message whose plaintext was 
known to the attacker, so that an extensive amount of keystream would become known. The 
beginning and end of the message would then be jammed, and an invalid message substituted 
based on the keystream. The invalid message could even contain a random component, since the 
attacker would have already recovered the keystream bits for that portion of the output. 

In order for this attack to succeed, it is necessary for the attacker to precisely synchronize the 
plaintext and the ciphertext, know the current message sequence number, intercept the ciphertext 
and block it, jam the portion of the message containing the secret, random component to make it 
look like a noise burst on the transmission medium, and then fabricate any desired random 
value, bogus message, and a corresponding fraudulent MDC, and follow it with a valid HDLC 
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frame check sequence. Finally, the end of the message containing any remaining message text, 
the old MDC, frame check, and the start of the next message would be replaced with random 
characters to cause another noise burst to be simulated, which would then be rejected by the 
standard HDLC error recovery mechanism at the receiver. 

It should be clear that this real-time interception and modification technique, although difficult 
to put into practice, could theoretically be applied to any MDC scheme that does not involve the 
use of a secret key for authentication, if the message text being sent is known to the attacker. 

Although this attack was previously considered legitimate, and a potentially serious obstacle to 
the use of an MDC technique, it can only succeed if the message being attacked is considered in 
isolation, as if it were the only message being sent. In order to defeat the attack it is only 
necessary to chain the individual messages together in such a manner that a change in one 
message will affect the MDC in the next message. Therefore, instead of the MDC in a given 
message pertaining to that message, it should instead pertain to the previous message. The MDC 
contained in the first message should cover the Call Request/Call Acknowledgement or other 
session establishment message sent by the other correspondent, and containing a secret, random 
component known to that correspondent, or the system at that end. By MDCing something that 
the other correspondent already knows, the chain is anchored at the beginning, defeating an 
attack that would systematically change every message in the sequence. 

Each MDC should therefore cover not only the data contents of the previous message, but the 
previous MDC as well, so that changing a single bit of a message will affect all of the MDC 
results from then on. The MDC for the previous message then satisfies the requirement for a 
secret, random component in each message if OFB is used. In order to detect an attempt to 
delete the final message of a session, a unique end-of-session message should be sent that 
includes the MDC of the previous message, plus the MDC of the end-of-session message itself. If 
a digital signature capability is implemented, it would be desirable to sign this final message. If 
the final MDC is digitally signed, then the initial MDC could be a constant. This would avoid 
the necessity of having a session established in real time so that the other correspondent can 
check the original value of the MDC at the time of session startup. This would be particularly 
useful in store-and-f orward message systems, including electronic mail and bulletin board 
systems, where the receiver is not in direct contact with the originator and the intermediate 
system may be a public or untrusted system. It would also apply to unidirectional transmission 
systems, including some command and control systems as well as systems that transmit to 
destinations operating under radio silence rules. 

Finally, it should be noted that in some cases the communications system may employ some 
device such as an Automated Teller Machine to screen the messages being sent, allowing only the 
"good" messages through. But in this case the system (the ATM machine and the bank) and the 
user do not necessarily share common interests. The user may wish to ensure that his messages 
are kept secret, and the legitimate user may also be interested in assuring the end-to-end 
integrity of his messages. But the system, in this case the ATM machine, may also have a role to 
play in assuring that the user does not compromise the integrity of his own messages. 

We should not try to satisfy both of these possibly diverging requirements through one 
mechanism. Instead, just as we sometimes use super-encipherment (for example using end-to-end 
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DES encryption to ensure writer-to-reader privacy, plus link encryption using classified 
algorithms to protect against an external threat), we should talk about super-authentication. 
That is, if the system has a requirement to assure that messages are not modified after they exit a 
secure processing facility, then the system must independently provide that assurance without 
depending upon the user's mechanisms. 

3 A Quadratic Congruential MDC 

Now that we have developed the rationale for the use of an MDC algorithm, we should certainly 
try to define a suitable implementation: 

3.1 The Original QCMDC. 

The original Quadratic Congruential Manipulation Detection Code (QCMDC) function proposed 
in the second paper in this series was defined as: 

Z Q = C = MDC initial value 
z i = ( z i-i + x i) J modulo N 
MDC - Z n , 

where C, Z;, and MDC are all 32-bit integers in two's-complement notation, and N was the 
Mersenne prime 2 S1 -1, chosen so that the modulo result would fit in a 32-bit word. 

In order to prevent an attack against the MDC in the case of Output Feedback Mode (where both 
the text and the MDC could easily be changed), it was first proposed to make the first 32 bits of 
the message a secret seed, S, withheld even from the message originator, so that if the opponent 
attempted to attack his own message he would not know the secret seed and would therefore not 
be able to intelligently modify the MDC. 

However, a variation of the under-determined knapsack attack of Coppersmith involving the 
taking of square roots modulo N and working backwards from the MDC in a meet-in-the-middle 
attack showed that the use of the secret seed, S, was not sufficient; and that either a secret 
quantity C would have to be introduced into the accumulator or the MDC would have to be 
extended to 80 bits or more. 

When the QCMDC algorithm was first implemented on the 8087, some variations were also coded 
and tested which used an Exclusive OR operation (denoted e or XOR). These variations were 
intended to defeat Coppersmith's technique of working backwards taking square roots modulo P. 
Although these operations were felt at the time to increase the cryptographic strength of the 
algorithm by denying the attacker the opportunity to work backwards (by making the algorithm 
non-invertible), the additional operations were quite time consuming. 

However, we concluded in the third paper that the MDC must be on the order of 128 bits long in 
order to foil the birthday problem attack in any case, and for that reason it was recommended 
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that four separate iterations of the MDC algorithm be performed over the text resulting in a 124- 
bit MDC. It was therefore thought that Coppersmith's attack on the QCMDC would be defeated 
because of the difficulty of generating the requisite 2 62 different variations. We then concluded 
that none of the variations on the basic QCMDC approach were necessary. 

3.2 The Triple Birthday Attack 

Ironically, one week before the publication of the third paper, Coppersmith 13 pointed out a 
weakness in a double-iteration DES signature scheme by Davies and Price which also applied (to 
a somewhat lesser degree) to the quadruple-iteration MDC scheme, as follows: 

- Assuming the use of an arbitrary invertible function F(X,H) as a checksum function 
operating over the message M = (M l5 M 2 , ... M n ), intermediate results H x , H 2 , ... H n are 
produced from the relation H; = FCMj.H;.!), or alternately from the inverse of F, Hn = 
F" 1 (M i ,H i ). 

- During a precomputation phase, select some arbitrary n-bit quantity Z, which is going to 
be the value of H 2 , H 4 , H 6 , ... ,H 18 . Then randomly select approximately 2 s6 values X, 
compute the values F(X,Z), and store these values. Then randomly select 2 36 values Y, 
compute the inverse function F _1 (Y,Z), and store those values as well. Then compare all 
of the Y values to all of the X values searching for a matching pair, using a sort and 
compare technique as required. This constitutes the first birthday problem. We expect to 
find 256 such matching pairs, and if not, we will examine a few more values of X or Y or 
both. Note that each such pair (Xj, Y ; ) can be used as a message pair (M 3 ,M 4 ), (Ms.Mg), 

or (M 17 ,M lg ) such that if H 2 = Z, M 3 = X;, M 4 = Y ; then H 4 = Z, etc. 

- Given a message M* = (M 19 , M 20 , ... , MJ, the chosen value of Z, and the 256 pairs (X i5 Yj) 
obtained during the precomputation, our task is to select values of Mj, M 2 , ... , M n which 
will make H 2n a valid hash of M = (M x , M 2 , ...,M„). We therefore find values of M x and M 2 
such that F(Mj,Z) = F'^M^Z) to put ourselves in a standardized position. This takes on 
the order of 2 s3 hashing operations and 2 3J storage. This is the second birthday problem. 

- Working backwards from H Jn (note that this requires the checksum function to be 
invertible), using the values M n , M n _i, ... , M 19 , we find the value of H n+18 , the value of 
the hash function on the second iteration. Finally, we make use of the precomputed pairs 
(Xi,Y;). For each of the 256* - 2 32 choices of the four pairs (Xj.Yj) to be the values of 
(M 3 ,M 4 ), (Ms.Mg), (M 7 ,M 8 ), and (Mo,M 10 ), we compute the value of H n+10 that would result 
then do the same thing with the values of (Mn.Mu), (M 13 ,M 14 ), (M 16 ,M 16 ), (M 17 ,M 18 ), 
computing backwards from H lg to get a value for H 10 . We again sort and compare these 
values as the third birthday problem. We expect one match, and the corresponding values 
of M 3 through M lg finish our task for a two-pass checksum process. 

- The process could be extended to attack a triple-pass hash algorithm by constructing eight 
"super-pairs" consisting of M 19 through M 35 plus M 36 through M 52 , etc., up to M 25g . Each 



13. Coppersmith, D., "Another Birthday Attack", Advance! in Cryptology - CRYPTO "8S Proceeding!, Lecture Notee in 
Computer Science, Vol. J18, Springer- Verlag, Berlin, 1986, pp 14-17. 
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super-pair would be manipulated during the precomputed phase to continue to produce the 
value of Z, even on the third pass. Only slightly more computation would be required, 
but obviously 258 blocks of the message M would be constrained, limiting the messages 
that could be attacked to fairly long ones. Finally, this process could be extended even 
further to attack a quadruple-pass hash algorithm by computing eight "super-dooper" pairs 
consisting of 512 blocks each, or a total of 4098 blocks. 

The multiple birthday attack therefore serves to reduce the strength of an N-pass signature 
scheme from an apparent 2 N * k / s to an almost trivial N*2 k / 2 . 

It is worth mentioning that the Coppersmith's attack also applies to attempts to extend the MAC 
of FIPS PUB 46 or ANSI X9.9 to 128 bits (in order to try to overcome Yuval's attack against the 
plaintext) by simply concatenating two or more MACs using two or more different 
authentication keys. The reason is that the MAC function, i.e., DES Cipher Feedback mode 
encryption, is invertible, and in addition the components are separable and individually too 
small to resist a birthday attack 14 . As a result, and contrary to the advice in the second and third 
papers in this series, the 64-bit Message Authentication Code technique by itself cannot be considered 
sufficiently strong, and is not recommended if there is any possibility that the originator may 
attempt to defraud the message recipient, or if a Trojan Horse could circumvent security controls 
through such a mechanism. In addition, the use of a MAC in certain command and control 
situations where the attacker may attempt to spoof computer-controlled equipment or processes is 
also not recommended. 

In practice, the likelihood of all of these blocks of being substituted without being noticed may 
be remote, for in the case of the quadruple-iteration QCMDC routine this amounts to 16392 bytes 
that would have to be inserted in the text. However, in the previous papers we had committed 
ourselves to detecting even a single inserted, deleted, or manipulated bit, regardless of the 
amount of text and independent of any internal syntactical or semantic content. After all, if we 
were to rely solely on internal consistency checks to detect such manipulations we would first 
have to invent a suitable manipulation detection scheme! 

It should therefore be observed that Coppersmith's triple-birthday attack will succeed against a 
multiple-iteration QCMDC routine if two conditions are true: 

1. If the checksum function is invertible, so that it is possible to work both forwards and 
backwards to produce matching values in a birthday-problem attack. 

2. If the checksum function is subject to decomposition into separate and independent 
elements, each of which is sufficiently small that the birthday-problem attack is feasible 
from the standpoint of computation time and storage. If the checksum function were to 
involve a 128-bit result that could not be broken down into something smaller, then the 
birthday attack would be infeasible because it would involve generating, storing, and 
comparing on the order of 2 M 128-bit checksums and 64-bit permutation indices, or about 
8.8*10 20 bytes of storage, or 5 quadrillion reels of 6250 bpi magnetic tape. 



14. ThiB is not to say that a suitable 128-bit checksum could not be constructed using DES or hot other 64-bit block cipher, but 
only to caution that the task is not nearly as trivial as it may appear at first glance. 
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In the case of the simple QCMDC routine (where H; = ( (H^ + Mj) 2 ) modulo N), the addition of 
H;.! and Mj makes the function technically non-invertible from the standpoint of exactly and 
uniquely reproducing the input Fj.j given some Fj, since the H; is a function of two independent 
variables. But it is sufficient if the attacker can construct a value Yj.j = F'^X;) which, when 
computed in the forward direction, will produce the desired result for Hj. To do this, note that 
(K*N + X) mod N - X. Therefore, multiply the modulus N by some variable K such that the 
result is a perfect square, and take the square root of the result. Then Yj.j = - K*N, and the 
value of X; that will satisfy this relation is SQRT(K*N) - Y ( . 

This suggests a variation of the QCMDC routine that would involve XOR(s) or some other non- 
linear combining function that would not be susceptible to a square root attack. If in addition 
the routine involved all 128 bits of the text and all 128 bits of the MDC of the previous block, 
then neither of the two conditions would be true and the triple-birthday attack would therefore 
be defeated. However, as the indefatigable Dr. Coppersmith pointed out, this is not necessarily a 
trivial task. 

In order to make the MDC function non-invertible it is necessary to introduce a history function, 
i.e., some value that would not yet be known when working in the backwards direction, 
calculated in some non-linear manner so that the square root attack will not work. In addition, 
it appears necessary to incorporate multiple references to both the text to be authenticated and 
to the previous MDC result, so that the only value that would satisfy the forward relationship is 
the proper one. Not only must each bit of the checksum function be a function of all of the bits 
in the full 128-bit text block together with all of the bits in the MDC of the previous block, but 
additional dependencies should be introduced to ensure that the function is not just minimally 
dependent on those bits but is over-constrained instead. 

Finally, as stated previously, the MDC function must produce a value on the order of 128 bits in 
length in order to defeat the various birthday attacks against the text itself. 

3.3 The New, Improved QCMDCV4 Algorithm 

The following algorithm, dubbed the Quadratic Congruential Manipulation Detection Code, 
Version 4 (QCMDCV4) for brevity, is proposed to satisfy these requirements: 

Consider a 128-bit (16 byte) block of text, divided into four 32-bit words, Tj, ... ,T t . For reasons 
that will be explained later, we will be operating on a 31-bit subset of each of those 32-bit words 
which consists of the sign bit and the low-order 30 bits, i.e., T*j = T ; AND BFFFFFFF. In 
addition, we will define a 30-bit fifth component, T**, consisting of the 6 high-order bits of T x 
(with the 6 bits shifted right two bits and 2 leading zero bits introduced on the left or most- 
significant-bit position), concatenated with the high order 8 bits of T 2 , T 3 , and T 4 , to make a 32 
bit word with two high order zero bits. 

Let the 128 bits of the MDC result (obtained from the previous block of text) also be divided 
into four 32-bit integer components M x , M 2 , M 3 , M 4 ; and let the 32-bit components of the new 
MDC result be designated as M 
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Finally, define a set of moduli N^.. N 4 , consisting of the four largest prime numbers less than 
the maximum 32-bit integer, namely 2147483629 (2 31 -19), 2147483587 (2 SJ -61), 2147483579 
(2 31 -69), and 2147483563 (2 31 -85). 

Then calculate: 

M*! = [ (Mj • T* x ) - 

(Mj « T* 2 ) + 
(M s « T* 3 ) - 

(M 4 » T%) + T** f mod Nj 

M* 2 = [ (M, « T* x ) - 

(M 3 • T* 2 ) + 
(M< « T* 3 ) - 

(M*i • T* 4 ) - T** ] 2 mod Nj 

M* 3 = [ (M s « T*{) - 

(M 4 • T%) + 
(M*j • T* 3 ) - 

(M* 2 • T%) + T« ] 2 mod N 3 

M* 4 = [ (M 4 • T*j) - 

(M*! • T* 2 ) + 
(M*! « T* 3 ) - 

(M* 3 • T* 4 ) - T** ] J mod N 4 

Several features of this algorithm should be noted. First, each of the 16 different XOR 
combinations is unique. Second, even if a significant amount of the text contains all zeroes 
(with the result that the XOR does nothing), the alternating signs for the M ( and T** components 
operate in such a manner that the contribution of the various terms will be different in each 
case. Finally, the M*; values are introduced into the computation of the subsequent components 
as soon as they are available, so that there is a great deal of inter-dependency and mixing. As a 
result, each 32-bit component of the MDC result is an over-constrained function of all of the text 
and all of the prior MDC. 

The previous papers had proposed a constant value for the modulus, N, equal to the Mersenne 
prime 2 31 -1 (2147483647), for all four of the 32-bit M*; results. But as Don Coppersmith pointed 
out when reviewing a draft of the current procedure, because 2 S1 -1 is the largest number that 
can be contained in a four byte integer in two's complement form, XORing the hexadecimal bit- 
string 80000001 has the effect of inverting the sign and the low order bit, which can be the 
equivalent of adding or subtracting the modulus. As a result, even when the intermediate sum is 
squared, the division by the 2 31 -1 modulus frequently produces no change in the result, 
depending on the sign of the T ; and whether a carry would be required, and a modification to 
the text could thereby escape detection. 

Coppersmith proposed picking up the text only 24 bits at a time to avoid this problem, using 
additional iterations to get back to around 128 bits. In an attempt to overcome this problem 
without the overhead of an additional iteration, the four different primes for the moduli Nj 
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were introduced, all of them smaller than 2 S1 . However, it was found that if the text consisted 
of one 32-bit word of random bits and three words of zeroes, then in about 10% of the cases it 
was possible to either add or subtract the value of the first modulus and have the change go 
undetected in the corresponding 32-bit word of the MDC result. Although the use of four 
different values for the moduli means that the substitution does affect the remaining 3 words, or 
at least 96 bits, it was felt that the full 128-bit strength should be preserved. 

For this reason, only 30 bits plus the sign bit of each 32-bit word of text is used in forming the 
intermediate sum. Since the moduli are all greater than 2 s0 , it is impossible to add or subtract 
the modulus from the text without detection. The final addition or subtraction of T** ensures 
that all of the bits in the text affect all of the bits of the result. 

One further improvement is possible. Because of the squaring operation, each 32-bit MDC 
component will be positive, producing a 124-bit result. But we can calculate the parity of the 
intermediate MDC result, just prior to the multiplication, and then change the sign of each 32-bit 
result if the parity is even. 

Finally, because the algorithm operates on 16-byte blocks, it is necessary to somehow 
differentiate between a text string that is say 1 byte long and one that consists of the same byte 
extended with up to 15 bytes of zeroes. For that reason the last few bytes (less than 16), if any, 
are moved to a 16-byte buffer, the rest of the buffer zeroed, and the MDC algorithm executed 
N+l times on that same buffer, where N is the number of the last few bytes. N+l is used 
instead of N, because a block that is 16 bytes long has to be processed once, and therefore a 1 
byte block has to be processed twice in order to be distinguished from the previous case. If 
improved performance is needed, the length code of the text can be prefixed to the text, and the 
size of the buffer extended to be an exact multiple of 16 bytes. This technique must be used if 
it is necessary to deal with text strings that are not multiples of 8 bits in length. 15 

In order to avoid a strong correlation between the text and the MDC result in the case where the 
text is very sparse (contains mostly zero bits), it is desirable to use different values for the 
starting values of M ; . For purposes of standardization the values 141421356, 271828182, 
314159265, and 57721566 are suggested. 

4 Implementation Considerations 

The QCMDCV4 algorithm has been implemented and tested on the IBM PC and AT 
microcomputers and the Compaq 286 Portable, and should run correctly on any similar machine 
which uses the Intel 8088, 8086, 80188, or 80286 CPU chip in combination with the 8087 or 80287 
Numeric Data Processor chip. The 8087/80287 is used to significantly speed up the calculation 
of the various arithmetic operations, in particular the division modulo the large primes. 



15. It may be worth mentioning that the ANSI X9. 9-1986 authentication standard and the definition of the MAC in FIPS PUB 46 do 
not take this problem into account, and therefore do not differentiate between a ahort message (one that is not a multiple of 8 
bytes in length) that must be padded with Eeroeg, and one that is a multiple of 8 bytes in length and happens to contain zeroes at 
the end. Although binary Eeroes would be interpreted as ASCII null characters and would not be confused with the ASCII *0" 
(hexadecimal 30) character in coded text, formatted binary information is allowed by paragraph 5.1 of that standard, which does 
not specify that a length indicator field must be used. The confusion therefore could occur in this case. 
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During the calculations the results are kept in IEEE Binary Floating Point 80-bit Temporary 
Real format with a 64-bit mantissa, and I"; and M; are in Intel 32-bit integer (IBM/Microsoft 
Pascal INTEGER4) format. (Note that the Intel format loads and stores register contents in 
"reversed" order, i.e., with the low order byte coming first in memory, so that the text bytes are 
processed in the order 4, 3, 2, 1, 8, 7, 6, 5, etc.) 

In the worst case, the total resulting from the alternating sign terms could range from -2 33 to 
2 33 -4, in which case the squaring operation would produce a value as large as 2 66 . Because the 
operation is carried out in floating point an overflow cannot occur, but a number that large 
cannot be represented in the 64-bit mantissa without loss of precision. If the 8087/80287 control 
word status were set to enable the precision interrupt then an interrupt would occur in that 
event, but the normal Pascal setting is to disable such interrupts. The result in the normal case 
will therefore be to round up or down to the nearest even value as appropriate (assuming the 
normal setting for the rounding mode), and discarding up to four low order bits of the sum. It 
should be noted that for precision loss to occur, the signs of the 32-bit result of the XOR must 
be +, -, +, -, to match the order of operations. As a result, it would be extremely unlikely for a 
loss of precision to occur on all four of the 32-bit intermediate result computations because of 
the way the text is cycled through the algorithm. In addition, if the intermediate result is 
viewed as the sum 2x + y, where x represents the 31 high order bits and y the two low order bits, 
then the square is 4x* + 4xy + y 2 . Therefore, even though the low order y J bits are dropped 
after the multiplication this does not mean that the low order bits of the original quantity are 
ignored, since they affect the mid-square (4xy) component of the result. For this reason it is not 
possible for the low order bit or bits of one or more of the 32-bit words of text to be changed 
without causing a change in all 128 bits of the result. 

The 8087/80287 FPREM instruction computes an exact remainder by successive subtractions the 
way division is done by hand, instead of using the more usual technique of dividing, rounding, 
multiplying, and subtracting from the original. The FPREM instruction is as fast as a divide, 
and is guaranteed to be accurate, without any roundoff. However, because the modulus is 
slightly less than 2 31 and the maximum value of the result after the squaring operation is 2 M , the 
FPREM operation is not guaranteed to be completed in one operation (since the difference in 
magnitude between the dividend and the divisor may be larger than 2 64 and FPREM shifts at 
most 64 bits in one operation), but it will always be complete in two operations. For this reason, 
the 8087/80287 condition code is tested after each FPREM and an additional FPREM performed 
if necessary. 

In order to produce the fastest possible implementation, the XORs and other CPU instructions 
are executed in parallel with the coprocessor addition, subtraction, multiplication, and FPREM 
operations whenever possible. The FWAIT instructions necessary to ensure that the coprocessor 
has finished with its computations before the CPU reads the results are delayed as long as 
possible to permit the maximum possible overlap. Although the original version was coded using 
a macro that was invoked four times for the four different iterations within one block, in the 
final version the code was "unwound" and hand-optimized to permit maximum overlap. 

On an IBM-PC with an 8088 & 8087 and a 4.77 MHz clock, the time to MDC check 1,000 512-byte 
blocks was 43.5 seconds, or 1359.5 microseconds per 16 bytes. This corresponds to 94.2 kilobits 
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per second. By comparison, the time for the fastest known software implementation of DES for 
the PC is 2801 microseconds per 8 bytes for the PC (22.8 Kbps, or 171K bytes per minute). With 
an 80287 speedup kit (consisting of an 8 MHz 80287 with its own clock crystal on a plug-in 
daughter-board) installed in an IBM AT with the standard 6 MHz 80286, the same test took 813.6 
microseconds for 16 bytes (157.3 Kbps), or 1.18 megabytes per minute, compared to the DES time 
of 933 microseconds per 8 bytes. We are currently awaiting the availability of the new Intel 
80386 CPU together -with the 80387 coprocessor to time that configuration. We expect to recode 
the algorithm to take advantage of the new 386/387 instructions, and anticipate that the result 
will run about 4 times faster than on the IBM AT. Depending on the clock speeds of the 
processors involved, then, the 128-bit MDC technique is anywhere from 4.6 to 8.1 times faster 
than computing two independent 64-bit Message Authentication Codes in software using the 
fastest known software DES implementation for the IBM PC or AT. 16 From a human factors 
standpoint, this means that the entire contents of a floppy disk (362K. bytes) can be 
authenticated to the most stringent standards in less than 15 to 30 seconds on current 
microprocessors, without benefit of any special cryptographic hardware. 

4.1 MDC Test Program 

The following program, written in IBM/Microsoft Pascal for the IBM PC, can be used to verify 
the proper operation of the QCMDCV4 algorithm: 

{ $TTTLE : ' CHECKMDC • - Verify MDC algorithm.) 

{ $FLOATCALLS- (Generate native 8087/80287 code.)} 

PROGRAM checkmdc ( input , output ) ; 



TYPE 
checksums= 



ARRAY [ 1 . . 4 ] OF INTEGER4 ; 



VAR [PUBLIC] 

text: PACKED ARRAY[ 1. . 33 ] OF CHAR; 
text_p: ADSMEM; 
n_bytes : WORD ; 

result : checksums ; 

i,j: INTEGER; 



VAR [EXTERN] 
mdc name: 



PACKED ARRAY [ 1 . . 8 ] OF CHAR; 
{ "QCMDCV4 ") 



CONST 

mdc init = 



checksums ( 
141421356, 
271828182 , 
314159265, 
57721566) ; 
checksums ( 



check = 



-1900412449, 



676867420, 
-689076088, 



1333643940) ; 



16. In addition, two independent 64-bit MACs are not believed to be nearly as secure as a single 128-bit MDC. 
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PROCEDURE mdc( text_ptr:ADSMEM; 

n_bytes : WORD ; 
VARS result : checksums ) ; 
EXTERN; 

BEGIN; 

WRITE (output, 

'Verifying MDC routine (', 
mdc_name ,*)...'); 

FOR i:= 1 TO 33 DO text[i] := CHR(O) ; 
text[l] := CHR(l) ; 
text_p := ADS text; 
result := mdc_init; 

FOR i:= 1 TO 50 DO 
BEGIN; 

IF i<34 THEN n_bytes := WRD(i) 
ELSE n_bytes : = 32; 

mdc(text_p,n_bytes, result) ; 

FOR j:= 32 DOWNTO 1 DO 
text[j+l] :=text[j]; 

text[l] := 

CHR(LOBYTE(LOWORD(result[4]))) ; 
END; 

IF result[l]=check[l] AND THEN 
result [ 2 ]»check[2] AND THEN 
result[3]=check[3] AND THEN 
result [ 4 ] =check [ 4 ] 
THEN WRITE ( 'OK- ' ) 
ELSE 
BEGIN; 

WRITE ( ' MDC is INCORRECT! • ) ; 
WRITELN ( result [ 1 ] , result [ 2 ] , 
result [ 3 ] , result [ 4 ] ) ; 

END; 
WRITELN; 

END. 



5 Summary and Conclusions 

Several architectural justifications have been presented an authentication algorithm which does 
not require a traditional crypto "black box" approach using secret cryptographic keys, with all of 
the key management difficulties that entails. In particular, the relatively common practice of 
using link encryption for secrecy at the OSI Data Link layer and implementing end-to-end 
authentication at the Presentation Layer would profit from "keyless", non-cryptographic means of 
authentication that could be easily implemented in both PCs and general-purpose main-frame 
computers. 
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The need for a checksum on the order of 128 bits in length was reaffirmed, both in the case of 
two mutually suspicious, potentially deceitful users where one may attempt to defraud the other, 
and in the command and control case where the attacker may have an almost unlimited ability to 
attempt to spoof the system. Contrary to the author's previous position, it was concluded that 
the 64-bit Message Authentication Code (MAC) approach of FIBS PUB 46 cannot be considered 
sufficiently strong in the case where the originator of a message may attempt to defraud the 
recipient, as well as in some command and control and multi-level security situations. 

The MAC checksum technique used by ANSI X9.9-1986 is viewed as particularly unfortunate, 
both because of the inadequate 32-bit length and because no provision was made to distinguish 
between short block that was padded and a block that is a multiple of 8 bytes that happens to 
end with the same characters. 

Coppersmith's Triple Birthday attack as it applied to the original QCMDC algorithm was 
summarized, and it was concluded that in order for that attack to be defeated it was necessary 
to ensure that the checksum function is not invertible, and that the length of the checksum be on 
the order of 128 bits in length. 

The QCMDCV4 algorithm was described, which uses XORs plus a history function to ensure that 
the function is not invertible. The function computes a 128-bit result that is an over-determined 
function of 128 bits of the text and the 128-bit MDC result of the previous text block than 
cannot be decomposed. A "birthday attack" against the QCMDCV4 result cannot succeed, because 
of the enormous number of variations that would have to be computed, sorted and compared. In 
order to ensure that a message that is not an even multiple of 128 bits can be distinguished from 
the same message extended with zeros, the algorithm is executed N + 1 times on the last buffer, 
which contains the last N bytes of data extended with zeros. 

The QCMDCV4 algorithm is recommended for use in microcomputer and main-frame 
applications where encryption will be provided separately and it is desirable not to have to 
replicate the encryption function for authentication. It is also suitable for use in combination 
with a public-key algorithm when implementing a digital signature function to protect against 
fraud. 
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1. An Introduction to Australian Banking. 

1.1 Before Deregulation. 

The control of the Australian money supply was the responsibility of 
the Reserve Bank, a statutory body which had many powers such as setting 
the foreign exchange rate, issuing currency, issuing Australian Government 
bonds (thus determining interest rates), monitoring the monetary supply, 
determining the statutory deposit rate (the proportion of bank deposits which 
had to be deposited with the reserve bank) and generally guaranteeing the 
stability of the currency and banking system. 

There were seven national and a small number of state banks which 
had licences to issue cheques and access to cheque clearing facilities and 
thus the exchange of value. All these banks had a large number of outlets so 
that in the cities there would be an outiet every one or two kilometres. 

All these national banks had associated savings banks with which the 
general public could deposit funds, generally at a very low interest rate, and 
borrow funds for purchasing housing. Housing interest rates were controlled 
by the Government via the Reserve Bank. There were a small number of 
savings banks not associated with cheque issuing banks. 

Savings banks only lent a maximum of 65% of the value of a house 
and so non-bank financial institutions, building societies arose. The general 
public made deposits with building societies by buying shares in the society. 
Societies lent up to 95% of the valuation of a house, at a slightly higher 
interest rate than savings banks, paid a higher interest rate on deposits and 
wrote customers cheques on the society account as required. They marketed 
their services aggressively and won considerable public support. Building 
societies also had a large number of outlets and longer opening hours than 
banks. 
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Still there was a gap in the market for the provision of consumer 
finance other than via finance companies, mostly also associated with banks, 
which often charged extremely high interest rates. The banks met this open- 
ing by issuing an Australia wide indigenous credit card - the Bankcard. 

The other main move into this market segment was via Credit Unions 
which were originally organisations based on a membership with some com- 
monality of interest, e.g. working for a University or the public service. 
Members joined the Credit Unions by buying a share and thereafter could 
deposit and borrow funds at attractive rates. The Credit Unions, via EFT Pty 
Ltd, forced the pace of electronic banking in Australia, they market aggres- 
sively via T.V. and have wide consumer acceptance. 

There was a small number of merchant or wholesale banks but these 
usually had only at most a handful of offices in Australia and were invisible 
to the general public. 
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Figure 1: Australian Banking before Deregulation. 
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1.2 After Deregulation. 

In the early 1980's it became apparent that there was considerable 
speculation against the Australian currency at a time when there was consid- 
erable volatility between the exchange rate of foreign currencies and high 
domestic inflation. This ultimately led to the Government's decision to dere- 
gulate the exchange rate and allow the Australian dollar to float in the inter- 
national currency market. 

At the same time the banks within Australia had an effective cartel so 
there was no competition. The Government announced that it would issue 16 
new banking licences and that foreign banks would be able to apply for 
licences. 

The indigenous banks would have to become bigger in order to sur- 
vive in a world wide competitive market and there was a number of mergers 
leaving four major Retail Banks. Another cheque issuing bank (the State 
bank) which did not have a savings bank subsidiary acquired a building 
society, a building society issued a banking licence became a bank (the 
Advance bank) and other organisations issued licences are trying to acquire 
building societies in order to obtain retail outlets. 

At the moment the four major Retail Banks, the ANZ, the Com- 
monwealth, the National Australia and Westpac have extensive retail outlet 
networks in place gaining a major advantage in the Australian market. 

Many building societies, some very large, survive as have credit 
unions and merchant banks. 
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Figure 2: Australian Banking after Deregulation. 
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1.3 Debit And Credit Cards. 

Bankcard, the indigenous credit card, has gained wide acceptance in 
Australia with 5.5 million cards issued to a population of 15 million. 

Mastercard and Visa made an abortive entry to the Australian market 
in 1979-81 but were withdrawn. They re-entered the market, with different 
conditions attached in 1984 and have been aggressively marketed by some 
banks who wanted to discontinue Bankcard. Nevertheless Bankcard, which 
has very extensive market penetration in Australia and New Zealand sur- 
vives. 

All banks and non-bank financial institutions have issued debit cards 
for use with ATMs and POS. 
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2. Development of eftpos in the Australian Context. 

In the development of any commercial activity there are obviously a 
range of factors which are not only crucial to the establishment of the 
activity, but also its ongoing success. For convenience of classification, such 
factors can be defined as: 

1 .Commercial/Strategic considerations 
2.Technical considerations 
3.Socio-political considerations 

The financial industry in Australia, like those in other countries, has 
undergone a process of rapid transformation over recent years. This transfor- 
mation can, in large part, be attributed to two factors. 

• The first is the move towards the deregulation of financial markets 
and, 

• the second, increased utilisation and application of technology to a 
range of banking activities. 

Within this environment, Australian Retail Banks have had to face 
two major challenges. 

First, the need to meet the intensification of competition between a 
range of financial institutions by providing customers with the services they 
demand. In particular at the retail end, convenient and speedy access to cus- 
tomer funds when and where they want them. 
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Second, Australian Retail Banks have had to seek to contain and, over 
a period of time, reduce the cost pressures which operate on the organisa- 
tions of their size. 

Within Retail banking, eftpos plays a major role in both of these areas. 
The level of branch banking representation in Australia per head of popula- 
tion is significantly higher than most other countries. Eftpos is seen as an 
important means of reducing the reliance of the customer base on an expen- 
sive, labour intensive, and until currently, paper dominated, branch banking 
system. 

The marketing thrust in this respect is to achieve a much lesser reli- 
ance, for simple debit and credit transactions, on the expensive one to one 
banking operation with its attendant reliance on paper documentation. The 
Australian Retail Banks have sought, therefore, to achieve a higher level of 
direct crediting of salaries to bank accounts. Once the Australian Retail 
Banks have this money, they are seeking to ensure that further transactions - 
whether they be cash debits for food purchases; further credits or payment of 
regular accounts - occur electronically. The Australian Retail Banks are now 
looking to encourage their customer base to also to use Point Of Sale. 

The importance of succeeding in this strategy of achieving a higher 
level of direct crediting of wages is revealed by the fact that approximately 
70% of employees in Australia are still paid in cash. As a comparison - less 
than 5% of wage and salary earners in the USA, Canada and France are paid 
in cash. We note that in 1985 Australians used cash for 90% of all transac- 
tions. 

For people to utilise a new form of financial delivery system - which 
is what eftpos is - some change in banking habits is required. It has been 
found that Australians - particularly young Australians - are not hesitant to 
use new technology in banking - eftpos provisors have had to ensure that the 
placement of POS terminals and the promotion of the overall eftpos system 
is well planned and executed to encourage utilisation. 
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In this respect, market research has revealed that the largest outgoings 
from the household income, apart from mortgage or rent payments are for 

• food and household goods, and for, 

• petrol and other motor vehicle related expenses, 

Further, research has indicated that people shop for food or buy petrol 
at least once a week. 

As a result of this market research, locating eftpos terminals, particu- 
larly during the development phase, in retail outlets such as supermarkets 
and petrol stations, has been the most appropriate means of achieving the 
aim of providing customers with a delivery system which enabled the custo- 
mers to gain access to their funds at convenient times and convenient loca- 
tions. 

When you consider that all four major Australian Retail Banks are 
actively involved in eftpos developments it becomes very clear that Aus- 
tralia has made a substantial commitment to this form of banking technology 
and is a significant way down the road to achieving a fully integrated sys- 
tem. 

We will now consider the structure of the eftpos system in Australia. 
This is a subject of considerable importance and one which has excited con- 
siderable debate not only internationally but also in Australia. 

There are a number of options or alternatives which were proposed in 
relation to the development of eftpos systems. While there are a range of 
variations, two of the major options can be defined as follows. 
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First, there is a centrally owned and operated system, often called a 
single access system. This system could be controlled, for example, by a 
public utility; be owned by a private company or established as a consortium 
of various interests and groups. It is basically this structure which the British 
have been pursuing and which, we believe, is being developed in Singapore. 
In Australia it would have to be achieved by using Telecom Australia's 
Austpac Switching Network or a private switching network and be jointly 
administered by all participants. 

Second, there is the approach initially being strongly advocated by the 
four major Australian Retail Banks. It is a decentralised system, known as 
the "gateway" structure, in which management and control of the machinery 
and switching system is in the hands of a number of players - in Australia's 
case the banks - that cooperate for the exchange of value. As initially pro- 
posed it was to be a closed system with retailers tied to their bank. 

A central feature of the gateway approach to the development of EFT, 
particularly with reference to POS, is that it is a component in the exchange 
of value. Inherent in such an arrangement is the ability to guarantee to a 
receiving party that an exchange of value will occur consistent with a mes- 
sage transaction through the EFT system. The very concept of EFT is to 
transfer funds and this consideration had a bearing on the insistence of the 
four major Retail Banks that only they could guarantee the exchange of 
value. 

The four major Australian Retail Banks were looking for an eftpos 
system which would, as far as practicable, be driven by market considera- 
tions and be market sensitive. They saw such a precondition as essential to 
the fulfillment of the requirements of the main participants in any eftpos sys- 
tem. 

The Australian Retail Banks' belief that the gateway approach offered 
the best means for actually getting eftpos established in Australia was prob- 
ably well founded. They foresaw that intractable delays and immense admin- 
istrative, logistical and financial problems were associated with an approach 
which sought to bring together a range of interests and participants to 
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develop a complex set of commercial arrangements. 

The Banks had observed the United Kingdom experience, and 
believed it was both untenable and ultimately not in the best interests of the 
banks or their customers to attempt to duplicate what this country had set out 
to do. The Banks went into eftpos in an effort to gain a market advantage. 
Some of the Australian Retail Banks have obtained this market advantage, 
and at the same time, not sacrificed the ultimate integrity and viability of a 
fully operational and interlinked system between a wide range of financial 
institutions, retailers and consumers. 

A major disadvantage to the gateway approach is the restrictions 
imposed on the market by excluding from or giving only limited access to 
new retail banks, non bank financial institutions such as building societies 
(which are a major source of housing finance), credit unions (which provide 
extensive services to members of cooperatives), merchant banks and 
insurance companies. 

The gateway concept as initially advocated has now been modified in 
light of the vocal and valid criticisms by the non Retail Bank sector that it 
was being effectively excluded from the market and the Retail Traders Asso- 
ciation that it did not adequately service all their customers. Agreement has 
now been reached that the eftpos terminals will accept all bankcards, debit 
and credit, as well as other cards such as American Express. 

The major Retail Banks saw the "gateway" leading to more rapid 
implementation breaking through the log jam of establishing a central sys- 
tem. They also saw the gateway as building incrementally on existing rela- 
tionships between participants. The very essence of the gateway structure is 
a modular or incremental set of stages leading to full integration. The three 
main modular stages can be briefly described as follows. 
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3. Modular Stages. 



3.1. Stage One. 

Stage one is a simple single connection between a retailer and a bank 
with only the cards issued by the participating bank being accepted. This is 
the stage Australia has already gone through. It is basically a process of 
experimentation, testing and verification. 

3.2 Stage Two. 

Stage two is an extension of the network to other settlement capable 
Australian Retail Banks, with the cards issued by those banks also being 
accepted. Note that we are talking about settlement capable financial insti- 
tutions, which relates to our earlier point that eftpos is about the exchange of 
value. In Australia, it is only the banks which have this settlement capability, 
through our central bank - the Reserve Bank. 

3.3 Stage Three. 

Stage three further extends the network, this time to include other non 
settlement capable financial institutions. In Australia's case these are build- 
ing societies and credit unions. Such institutions gain access to the system 
on an agency or sponsorship basis, whereby a bank undertakes to settle on 
their behalf. 

Returning to the point of building on existing commercial arrange- 
ments between participants, one must realise that eftpos is first and foremost 
a set of complex commercial arrangements between the participants. One of 
the key strengths of the gateway structure is that it utilises existing relation- 
ships. These relationships can be identified as those: 

• between a bank and retailer 

• between a bank and the clearing house 
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• an inter settlement capability between banks 

• a relationship between a retailer and a non bank financial institution 
and, finally 

• between an non bank financial institution and bank, 

To illustrate this point, let us look at the initial part of the process - the 
relationship between a bank and retailer. In the case for Australian Retail 
Banks, one particular bank, Westpac, utilised an existing banking relation- 
ship with a supermarket chain, Woolworths Ltd, and extended it to the area 
of eftpos. The supermarket chain were confident that the eftpos system being 
introduced would be secure, reliable and, above all else, guarantee payment 
at the end of the day. Further, the supermarket chain was confident that if the 
bank entered into a relationship with another Retail Bank or non bank finan- 
cial institution for the use of their plastic cards in the eftpos system, the same 
standards would apply and that they would still be assured of receiving value 
for transactions. 

This incremental approach also offered a high degree of flexibility. It 
recognised that POS would ebb and flow as market forces determine the bal- 
ance between demand and cost of provision. It also recognised - especially 
during the initial stages - that the different participants would wish to deter- 
mine investment decisions, and to make decisions on longer term involve- 
ment on the basis of observing actual operation and development. The gate- 
way structure allowed this to happen. It was not designed to lock participants 
in at the outset. 

Another feature of the gateway system which is quite important to the 
private sector is it allows for the development of commercial relationships 
between participants based on market considerations. A fee structure could 
then be based on negotiation. Many Retailers, however, feared that the gate- 
way, which controls access for other financial institutions, would effectively 
act as a Retail Bank cartel limiting free market operations. They foresaw 
that the banks would want them to pay for eftpos arguing that they provided 
retailers with access to their customer base. The Retailers argued that they 
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made the sale and the banks should pay for the system. Neither wanted to 
pass the cost on to the customer who might them revert to paying cash. 

The Australian Retail Banks expressed the view that the gateway 
could only be conducive to innovation and to the effective servicing of all 
participants - whether they were retailers, customers or the financial institu- 
tions. 

Very little technical difficulty has been experienced with the majority 
of the terminals in operation in Australia. Customer usage of the system is 
increasing steadily, indicating that people are adapting to this form of tech- 
nology. For example, the Combined Credit Unions Rediteller network, 
which was the first network of ATM's in Australia, was handling 7000 tran- 
sactions per month in October 1985. Banks with ATM networks were han- 
dling 2-3000 transactions per month at that time. 

Also in Australia we have the development of bilateral arrangements 
between financial institutions, such that the card of one institution is 
accepted at the terminal of another institution. In the case of Australia's non 
settlement capable institutions - the building societies and credit unions - 
agency arrangements have been actively progressed between such institu- 
tions and banks. These arrangements were to ensure that the customers of 
non settlement institutions gained access to the eftpos system while the cen- 
tral element of that system - the guaranteed exchange of value - was main- 
tained. 

Let us now outline a few details of a particular eftpos system's opera- 
tion in Australia. The system gives its customers access to their cheque 
account and savings account at retail outlets. At present about 4000 outlets 
are available in supermarket chains, chain stores and petrol retailers. 

The customers can access their accounts to pay for goods and obtain 
some cash ( if desired). The amount of cash that can be obtained is set by the 
individual retailer. For example, at the supermarket the sum of two hundred 
dollars cash can be obtained (US $130), whereas at the petrol outlets the 
amount is thirty dollars (US $20). In the supermarkets the terrninals are 
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located at the check-out lanes, while at the petrol outlets they are positioned 
at the service desks. 

To operate the system the customer requires a plastic card particular to 
that financial institution, together with a four digit PIN (Personal Identifica- 
tion Number). 

To use the system the customer hands his/her card to the 
cashier/operator who wipes the card through the terminal and then enters the 
amount of the transaction. The customer then authorises the transaction by 
entering his/her PIN through a separate hand-held key pad which we call the 
Pin Pad. The terminal then communicates with the financial institution's 
computer and the funds transferred from the account of the customer to the 
account of the retailer. This takes on average only fifteen seconds although 
transactions may be travelling up to 10,000 kilometres. 

Upon successful completion of the transaction, the customer is issued 
with a printed receipt, details of the transaction (duplicate of which is held 
on the tally role in the terminal) are recorded on the customer's statement of 
account. 

It should be noted that reliability and speed of the system is essential 
to both customer usage and retailer acceptance. 

Up until March 1985, the financial institutions only provided a debit 
facility to its customers. Now there is the option for customers in States 
where regulations permit, to have access to their line of credit. 
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4. Technical Aspects Of Eftpos in Australia. 

The quality of any system is dependent on the quality of the consti- 
tuent parts and the level of investment and expertise devoted to its develop- 
ment. This is certainly the case with eftpos which involves the transmission 
of financial information and which is, as such, an element of the payments 
process of a country. 

The Australian Retail Banks have invested heavily in the area and 
required equipment and a system which guaranteed high reliability, high 
integrity and security of customer financial information. 

LM Ericsson Pty Ltd., Burroughs and Fortronics have been responsi- 
ble for fulfilling many requirements in relation to terminals which were 
required not only to be compact in size, but to be easy to use, fast in 
response time between terminal and host computer and have very secure in 
its encryption of raw data. 

Transmission of messages between the terminal and the bank's com- 
puter system utilises either Telecom Australia's Austpac Switching Net- 
work, for the Commonwealth Bank and Westpac, or a private switching net- 
work, for the ANZ and National Australia Bank. Each Bank uses its own 
facilities as a frontend to large mainframes. The host provides on-line 
enquiry and updating facilities on customers' fund positions. The frontend 
also performs other functions, such as : 

• Verification of customer Personal Identification Numbers 

• Accumulation of individual merchant's settlement position, and 

• The interchange of information between financial institutions. 
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Figure 3: Commonwealth - Westpac System. 
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Figure 4: ANZ - National System. 
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5. Case Study - Westpac. 

The development of the Westpac eftpos system will be now given as a 
case study. The establishment of Westpac' s eftpos system resulted from 
detailed planning and development over a nine month period. The first step 
in this exercise was the selection of a project manager and team encompass- 
ing key people from all areas : 

• bank personnel from technical, operational and retail areas 

• Telecom Australia responsible for the National Telecommunication 
Links; and 

• Westpac 's retail partners - Woolworths (Supermarket chain) and BP 
(petrol company). 

The selection of a suitable equipment supplier was of prime impor- 
tance in completing the project team. Although a number of POS systems 
(usually credit authorisation) were in operation in other countries, none met 
the requirements of the Australian environment. Westpac were looking for a 
supplier who would build a terminal to their specifications instead of offer- 
ing a modified off-the-shelf solution. 

LM Ericsson Pty Ltd had the requirements for the development of a 
terminal according to Westpac's specifications, which detailed the hardware 
and software requirements. Some of the major requirements were : 

• compact in size (height and footprint to enable easy location at service 
desks and check-out lanes 

• in built modem 

• dot integrated printer 

• low noise levels during operation 
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• PIN pad no larger than a small calculator 

• clear and easily understood display/prompts to both operator and cus- 
tomer 

• quick response times between terminal and host computer to ensure 
fast service 

• in short, Westpac wanted a terminal and PIN pad that was simple to 
use for both the operator and customer. 

In addition, the overall security of the system was a key issue and a 
high standard of encrypted message formats were adopted to ensure "raw" 
data was not transmitted through communication links to Westpac's host 
computer. At no time during a transaction was any form of confidential cus- 
tomer detail to be displayed at the terminal. 

The overall project was monitored with the use of critical path charts 
and action plans detailing the tasks of all parties. Development was not 
without problems but the planning and monitoring process highlighted 
shortcomings and enabled contingent actions to counteract potential delays. 

A pilot launch of 20 terminals (10 in Woolworths and 10 in BP sites) 
commenced in April 1984, enabling Westpac to test the system in a live 
environment and iron out and errors before Westpac moved to any expan- 
sion of the network. The store managers and service station managers at the 
20 pilot sites cooperated fully and were happy to use their respective sites as 
controls to trial this new technology. 

From the experience of establishing the Westpac eftpos system, a few 
key points have surfaced, which should not be overlooked during the plan- 
ning of any eftpos project : 

• installation of communication link between retailer and bank. The phy- 
sical connection is by the use of a dedicated line for the sole use of EFT 
messages and at certain retail premises, major alterations were required 
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to permit installation. To avoid delays and unforeseen costs, availability 
of access should be considered, as well as allowing sufficient time for 
installation. 

• testing of the system and equipment - prior to installation of any 
equipment, the entire system was subjected to extensive testing to elim- 
inate the problems of a "live" environment. The live situation presented 
some problems. However with the cooperation of the 20 pilot sites, 
these were overcome in a short space of time (approximately three 
months). A close involvement and mutual commitment between retailer, 
Telecom and financial institution is essential for success. 

• adequate training of financial institution and retailer staff is also an 
important pre-requisite. Customer usage of any form of "hands on" tech- 
nology requires a degree of customer confidence. An encouraging 
employee, and associated educational campaigns, can greatly enhance 
this confidence, or, alternatively deflate it. This is backed up by a cen- 
tral "help desk" staffed by trained bank personnel. A phone call to the 
"help desk" provides immediate action to most situations. 

• Site selection of POS terminals is clearly an important consideration. 
To ensure the best return on an investment, utilisation must be maxim- 
ised. This can be achieved by careful site selection based on analysis of 
demographic movements and shopping habits. 

• Adequate backup in the case of system malfunction is also something 
that must be closely considered in any new system. In Westpac's case, a 
simple paper-based back-up approach was introduced to deal with any 
system failures or disruptions. 

• Final, the marketing and promotion of eftpos is essential. As with any 
retail product a clear marketing strategy must accompany the launch. 
Without this,eftpos starts well behind the barrier and will suffer the fate 
of any poorly marketed product. Incentive campaigns targeted at the 
card holders have been successful in improving awareness and 
encouraging use. 
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5.1 Key Factors For Success. 

In this section we will highlight some of the key issues of the plan- 
ning, development and launching process as experienced by Westpac : 

• Development Plan - This must include stretching but realistic time 
frames and objectives to ensure deadlines are achieved. Loose time 
frames will lead to delays. 

• Total Commitment From All Parties - The absence of support from all 
concerned will inevitably result in delays and possibly failure. 

• Retailer Involvement - As these people have a large influence on the 
success or otherwise of a project of this type, their input to the develop- 
ment process is considered mandatory. 

• Reliable Equipment Supplier - Delivery where and when required is a 
must. 

• Simplistic Design of Terminal - It is considered that ease of operation 
of the terminal can mear the difference between success or failure. 
Above all, the need for strong project management and control cannot 
be over emphasised. 

5.2 The Future For Westpac. 

Westpac is currently developing : 

• Automated fuel pumps - the oil industry has expressed the need to 
relocate eftpos transactions from the shop to the forecourt of a petrol ■fil- 
ling station. A card reader and PIN pad installed on the forecourt would 
provide customers with a fully self serviced facility - both petrol and eft- 
pos 

• Integrated cash registers - in this development the eftpos terminal 
would be fully integrated with the cash register and the electronic price 
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scanning technology currently being developed. This has obvious 
advantages for retailers in terms of reducing space utilised and ensuring 
comprehensive inventory and financial control. 



A major move by all Australian Retail Banks is to integrate their net- 
works with the other bank networks thus allowing card holders of one bank 
to use the Automatic Teller machine of another bank. This is also an active 
area of development and installment for Westpac. 



5.3 Westpac Handyway System. 
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6. Socio-Political Aspects of Eftpos. 

Every commercial activity has the ability to affect the social and polit- 
ical environment or in turn be affected by it. Eftpos is certainly no exception 
and is perhaps a good example of how social and governmental factors can 
impact upon a commercial initiative. 

Within Australia, the development of EFT, most notably in the area of 
POS, has been associated with the expression of a number of concerns 
within sections of the community and from some interest groups which seek 
to represent consumer interests. It has been suggested, often quite voci- 
ferously, that eftpos poses a serious threat to consumers in areas such as : 

• security and confidentiality of financial information, 

• liability in the event of a disputed transaction or system failure, and 

• fraudulent usage. 

The Australian Retail Banks have accepted the basis of such concerns 
as well intentioned even if they are not always based on an objective under- 
standing of eftpos operations. 

For example, it has been claimed that eftpos would allow a financial 
institution to build up a detailed picture of the purchasing habits of individu- 
als. For example, in the event of an individual buying a device for the use of 
illicit substances, such as a water pipe for smoking marijuana, this informa- 
tion it has been claimed, could be made available to drug enforcement 
authorities. 

The Australian Retail Banks have sought to face the social and 
governmental aspects of eftpos development responsibility and comprehen- 
sively. Discussions with consumer groups, administrators and politicians at 
all levels of government have been established to understand better their 
concems and convey the views of the Australian Retail Banks. 
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It has been argued by some that there is no established set of legisla- 
tive arrangements to define rights and obligations for the providers and users 
of eftpos systems. 

The Australian Retail Banks' view is that it is concerned to maintain 
the same, if not higher standards, relating to their relations with customers 
with EFT as with paper based transaction methods. 

The Australian Retail Banks believe that legislation should only be 
contemplated if there is, or is likely to be, a demonstrable public need. To 
the extent that problems from a consumer point of view may arise, they 
would certainly prefer that these problems be tackled on a voluntarily or on 
the basis of an established and uniform industry code. 

So far problems which have arisen such as 

• consumers being held liable in the case of errors caused by mechanical 
and systems failures of the computer 

• consumers being held liable for money issued in excess of their bal- 
ances 

have not always been perceived to have been handled fairly. 

If there are any lessons to be learnt on this aspect of eftpos operation 
from Australia, it is that it is essential that the technical development and 
planning for eftpos be closely associated with a consideration of the policy 
and political aspects. To do this averts, or at least minimises, the potential 
for misunderstandings between the private sector and government and the 
consequent possibility of inhibiting legislative arrangements. 
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7. Advantages Of Eftpos To The Main Parties. 

7.1 For The Australian Retail Banks. 

• Replacing paper with E.F.T (cost reducing) 

• Better customer service 

• Australian retail banks representation at retail outlets where customers 
shop and spend money 

• Opportunities to broaden its customer base. 

7.2 For The Retailer. 

• Replacing paper with E.F.T (cost saving) 

• Reduced cash (cost saving and better security) 

• Better customer service 

• Higher ticket sizes (increased sales) 

• Same day value 

• No bad debts 

• No separate authorisation required 

• Less physical security 

• Access to Australian retail banks customer base. 
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7.3 For The Customer. 

• The major benefit for the customer is convenience - being able to 
access their accounts where and when they spend. 

• Another important benefit is seen as less need to carry cash. 
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8. The Future of Eftpos in Australia. 

Agreement has now been reached so banks, non bank financial institu- 
tions, and retailers will all have complete access to the Australia wide eftpos 
network. 

The linking up of ATMs is described in the diagram 

Figure 5: Linking Up the ATMs (Sydney Morning Herald), 12/2/86. 
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9. Concluding Remarks. 

It is our opinion that eftpos marks a challenging and exciting develop- 
ment in the provision of retail banking services. After two years of debate, in 
mid July 1986, all the banks and the retailers agreed to eftpos. It is the 
future of retail banking and as such an integral means of improving customer 
services. 

Security companies alarmed at the inroads to their business have been 
putting out TV commercials that try to illustrate the pure joy and beauty of 
cash. But we believe that the high acceptance of plastic money, with 5.5 
million Bankcards for a population of 15 million people, and the acceptance 
of ATM's especially by the young, means they are too late to dam the flood. 

Westpac and the Commonwealth Bank both have programs to allow 
children as young as 12-13 key cards to allow access to savings accounts. 
Unfortunately some families, who have not kept their PIN number secure 
from their children, have found their accounts drawn upon. 

We expect to see in the future 

• more terminals 

• more merchants/retailers using the system 

• extended POS interchange 

• automated fuel pumps or driveway card acceptors 

• electronic cash registers more widely used 

• universal access to line of credit 

• an extension of the facilities available via the eftpos network to 
include items such as brokerage, loans, investments, travel services, cer- 
tificates of deposit . 
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Abstract 



Three very different formal definitions of security for public-key cryptosystems have been 
proposed — two by Goldwasser and Micali and one by Yao. We prove all of them to be equiva- 
lent. This equivalence provides evidence that the right formalization of the notion of security 
has been reached. 

1 Introduction 

The key desideratum for any cryptosystem is that encrypted messages must be secure. Before 
one can discuss whether a cryptosystem has this property, however, one must first rigorously 
define what is meant by security. Three different rigorous notions of security have been proposed. 
Goldwasser and Micali[5] suggested two different definitions, polynomial security and semantic 
security, and proved that the first notion implies the second. Yao[8] proposed a third definition, 
one inspired by information theory, and suggested that it implies semantic security. 

Not completely knowing the relative strength of these definitions is rather unpleasant. For 
instance, several protocols have been proved correct adopting the notion of polynomial security. 
Are these protocols that are secure with respect to a particular definition or are they secure 
protocols in a more general sense? In other words, a natural question arises: Which of the 
definitions is the "correct" one? Even better: How should we decide the "correctness" of a 
definition? 

The best possible answer to these questions would be to find that the proposed definitions — 
each attempting to be as general as possible — are all equivalent. In this case, one obviously no 
longer has to decide which one definition is best. Moreover, the equivalence suggests that one has 
indeed found a strong, natural definition. 

In this paper, we show that these notions are essentially equivalent. The three originally 
proposed definitions were not equivalent. However, as we point out, this inequivalence was caused 
only by some minor technical choices. After rectifying these marginal choices, we succeed in 
proving the desired equivalences, keeping the spirit of the definitions intact. We believe this to 
be an essential step in developing theory in the field of cryptography. 

"The full version of this work will appear in the SIAM Journal of Computing. In the meantime, the full version 
is available from the authors. 
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2 Public Key Scenarios 

Let us briefly review what is meant by the notion of public-key cryptography, first proposed by 
DifEe and Hellmaxt [4] in 1976. As with all cryptography, the goal is that A(lice), by using an 
encryption algorithm E, becomes able to securely send a message m to B(ob). What is meant 
by "securely" is that it is impossible for any party T who's tapped A and B's line to figure out 
information about m from E(m). The distinguishing feature of public-key cryptography is that 
we require this security property to hold even when T knows the encryption algorithm E. 

We believe that until now, the notion of public-key cryptography has not been fully under- 
stood. In fact, it is crucial to consider exactly how the communication between A and B establishes 
the algorithm E. Therefore, we introduce the fundamental notion of a pass. We will first explain 
what passes are, and then explain their implications for security. 

2.1 Passes 

Within the public-key model, A and B can alternate communicating back and forth as many 
times as they feel are necessary to achieve security. Call each alternation a pass. 

Any number of passes are, of course, permissible. We concentrate on what we believe are the 
two most interesting and important cases, one and three passes. We do not consider more than 
three passes, because, if trapdoor permutations exist, a well designed probabilistic encryption 
scheme can achieve as much security as is possible using only three passes. 

Three-pass systems 

The three-pass case is, perhaps, the most natural to think about. It corresponds to a telephone 
conversation. A has a message m that she wants to securely communicate to B. A calls up 
B and says, "I have a message I'd like to send to you." B, so alerted, proceeds to generate 
an encryption/decryption algorithm pair, (E,D), and tells A, "Please use E to encrypt your 
message." A then uses E to encrypt her message and tells B "E(m)." 

Notice the key property of a three-pass system: The message and the encryption algorithm are 
selected independently of one another. We are nevertheless in a public-key model, since anyone 
tapping the phone line gets to hear B tell E to A. 

One-pass systems 

A one-pass system corresponds to what is commonly called a public file system. In the one-pass 
model, A simply looks up B's public encryption algorithm, E, in a "phone book" and uses it 
to encrypt her message. (One pass is a slight misnomer. At some point, in what we may view 
as a preprocessing stage, B must have communicated his encryption algorithm, presumably by 
telling it to whomever publishes the phone book of encryption algorithms, and thus indirectly to 
A. "One and a half passes" might be more accurate. "Half refers to the preprocessing stage that 
needs to be performed only once.) In this case, the choice of message can depend on E. 
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2.2 Passes and Security 

The main result of this paper is: 

GM-security, semantic security, and Y-security (all formally defined in section 3) are 
equivalent both for one-pass and three-pass cryptosystems. 

Interestingly, the equivalence still holds in the one-pass scenario, but the notions of security 
vary between the one-pass and three-pass scenarios. This point has not been given the proper 
attention, because people frequently confuse the notion of one-pass public-key cryptography with 
public key cryptography in general. 

The distinction, however, is crucial for avoiding errors, particularly in cryptographic protocols. 
Let us informally state the two definitions of security that are achievable in the two scenarios if 
trapdoor permutations exist. 

A 3-pass cryptosystem is secure if, for every message m in the message space, it is impossible to 
efficiently distinguish an encryption of m from random noise. 

A 1-pass cryptosystem is secure if, for every message m that is efficiently computable on input 
the encryption algorithm alone, it is impossible to efficiently distinguish an encryption of 
m from random noise. 

In other words, in the one-pass scenario one cannot just blithely write, "For all messages m." 
For instance, if one closely analyzes all known public-key cryptosystems, it is conceivable that if 
(E, D) is an encryption/decryption pair, then D can be easily computed from E(D). For instance, 
the constructive reduction of security to quadratic residuosity given by Goldwasser and Micali [5] 
for their cryptosystem would vanish if the encrypted message is allowed to be D itself. 1 

Such problems cannot arise in the three-pass scenario because the encryption algorithm E is 
selected after and independently of the message m. 

In this paper we concentrate on providing the details for the three pass case, and sketch the 
results for the one pass case in the final section. The reason for this choice is that the definitions 
of security are much more easily stated for three-pass systems. It is much more convenient to 
say, "For all messages m," than "For all messages m that are efficiently computable given the 
encryption algorithm as an input." 

3 Notions of security for three-pass systems 

In this section we will formally specify our cryptographic scenario, and define the three notions 
of security. These definitions are the same in spirit as those originally chosen by Goldwasser and 
Micali and Yao; therefore, we will use either the names they chose or their initials. We will point 
out explicitly at the end of this section the minor changes we needed to make to reach the right 
level of generality. 

1 Notice that if Bob publishes an encryption algorithm £ in the public file while keeping its associated decryption 
algorithm D secret, then any other user, being limited to efficient computation and ignorant of £>, necessarily selects 
her message m efficiently from the input E — maybe without even looking at E — and perhaps other inputs altogether 
independent of (E, D). However, in designing cryptographic protocols, one would often like to be able to transmit 
things like E(D) . For instance, if that type of message were allowed, one would have a trivial solution to the problem 
of verifiable secret sharing [3j. 
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3.1 Notation and Conventions for Probabilistic Algorithms. 

We introduce some generally useful notation and conventions for discussing probabilistic algo- 
rithms. (We make the natural assumption that all parties may make use of probabilistic meth- 
ods.) 

We emphasize the number of inputs received by an algorithm as follows. If algorithm A 
receives only one input we write "A(-)", if it receives two inputs we write "A(-, ■)" and so on. 

"PS" will stand for "probability space"; in this paper we only consider countable probability 
spaces. In fact, we deal almost exclusively with probability spaces arising from probabilistic 
algorithms. 

If A(-) is a probabilistic algorithm, then for any input t, the notation A(i) refers to the PS 
which assigns to the string a the probability that A, on input i, outputs a. Notice the special case 
where A takes no inputs; in this case the notation A refers to the algorithm itself, whereas the 
notation A() refers to the PS defined by running A with no input. If 5 is a PS, denote by Prs(e) 
the probability that S associates with element e. Also, we denote by \S] the set of elements which 
5 gives positive probability. In the case that [S] is a singleton set {e} we will use S to denote 
the value e; this is in agreement with traditional notation. (For instance, if A(>) is an algorithm 
that, on input i, outputs i 3 , then we may write A(2) = 8 instead of [A(2)] = {8}.) 

If /(•) and g{-, ■ ■ ■) are probabilistic algorithms then f(g(-, ■ ■ •)) is the probabilistic algorithm 
obtained by composing / and g (i.e. running / on y's output). For any inputs x, y, . . . the 
associated probability space is denoted f(g(x,y, ...)). 

If 5 is any PS, then x <— 5 denotes the algorithm which assigns to a: an element randomly 
selected according to 5; that is, x is assigned the value e with probability Prs(e). If F is a finite 
set, then the notation x «— F denotes the algorithm which assigns to x an element randomly 
selected from the PS which has sample space F and the uniform probability distribution on the 
sample points. Thus, in particular, i *— {0, 1} means x is assigned the result of a coin toss. 

The notation Pr(p(x, y, . . .) | x <— 5; y <— T; . . .) denotes the probability that the predicate 
p(x,y, . . .) will be true, after the ordered execution of the algorithms x «— S, y *— T, etc. We use 
analogous notation for expected value — Ex(/(r, y,...)\x*—S\y*-T;.. .) — where now / is a 
function which takes numerical values. 

Let HA denote the set of probabilistic polynomial-time algorithms. We assume that a natural 
representation of these algorithms as binary strings is used. 

By l n we denote the unary representation of integer n, i.e. 

n 

3.2 Cryptographic Scenario 

Here we specify those elements that are necessary for all public-key cryptography. 
A cryptographic scenario consists of the following components: 

• A security parameter n which is chosen by the user when he creates his encryption and 
decryption algorithms. The parameter n will determine a number of quantities (length of 
plaintext messages, overall security, etc.). 
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• A sequence of message spaces, M = {M n } from which all plaintext messages will be drawn. 
M n consists of all messages allowed to be sent if the security parameter has been set equal to 
n. In order to make our notation simpler, (but without loss of generality), we'll assume that 
M n = {0, 1}". There is a probability distribution on each message space, Pr„ : M„ —* [0, 1] 
such that Em6M„ Pr„(m) = 1. 

• A public-key cryptosystem is an algorithm C 6 TtA that on input 1" outputs the description 
of two polynomial-size circuits E and D such that: 

1. E has n inputs and l(n) outputs, and D has l(n) inputs and n outputs. (/ is some 
polynomial that gives the length of the ciphertext.) 

2. E is probabilistic; D is deterministic. 

3. For all m £ E n , Pr(D(a) = m | (E,D) <- C(l n ); a <- E(m)) = 1. 

Notice that [2J(m)] is a set which is typically quite large. Our notation requires us to write 
a 6 [jEJ(m)] to refer to a, particular encryption of m. Nevertheless, we will sometimes sloppily 
write E(m) for a particular encryption of m when the meaning is clear. 

3.3 GM-security 

This definition is essentially what Goldwasser and Micali [5] called polynomial security. 

A line tapper is a family of polynomial-size probabilistic circuits T = {T„}. Each T n takes four 
strings as input and outputs either 0 or 1. However, to make our next equation more readable, 
we will treat T„'s output as being either its second or third input (0 or 1 respectively). 

Definition Let C be a public-key cryptosystem. C is GM-secure if for all line tappers T and 
c > 0, for all sufficiently large n, for every m 0 , m x € {0, 1}" 

Pr(T n (.E, mo, mi, ot) = m | m < — {mcmj} ; E - C(l n ); a «- E(m)) <- + n~ c . (1) 

Remark: In reading the above definition, one should pay close attention to our notation. 
Upon casual consideration of Equation 1, one might conclude that there aren't any GM-secure 
cryptosystems! After all, the definition says that the encryption E must be secure for any mo 
and mi, both of which are given as inputs to the line tapper. What happens if we put mo = D, a 
description of the decryption algorithm? The answer to this question is that our notation specifies 
that first we choose m from {m 0 , mj} (and thus m 0 and mi already had been set), and then we 
choose our encryption algorithm. If C is GM-secure, then the probability that C(l") assigns to 
any given output is quite small, say 0(2~ n ). Thus there's little worry that C will just happen 
to output a decryption algorithm D = m 0 . Notice how the above definition (via our notation) 
models the three-pass scenario. 

3.4 Semantic Security (3-pass) 

Again, this definition is essentially the same as in [5]. It can be viewed as a polynomial-time 
bounded version of Shannon's "perfect secrecy" [7]. Informally, let / be any function defined on a 
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message space sequence, /(m) constitutes information about the message m. Intuitively, / should 
be thought of as some particular information about the plaintext that the adversary is going to 
try to compute from the ciphertext — say the first seventeen bits of the plaintext. A cryptosystem 
is semantically secure if no adversary, on input E{m) can compute f(m) more accurately than 
by random guessing (taking into account the probability distribution on the message space). 

Definition Let C be a public-key cryptosystem, and let M = {M„} a sequence of message 
spaces. Let f = {f E : M„ — ► E" | E 6 (C(l")],n G N} be any set of functions on the message 
spaces. For any value v 6 E*, we denote by /^'(v) the inverse image of v; that is, the set 
{m e M„ | /e(jti) = v}. Then the probability of the most probable value for f E (m) is p E = 
max {Hmg/- 1 ^) Pr n (m) | v € E*|. p E is the maximum probability with which one could guess 
f E (m) knowing only the probability distribution from which m has been drawn. 

C is semantically secure if for all message space sequences M, for all families of functions T, 
for every family of polynomial-size probabilistic circuits A = {An(-, ■)}, for all c > 0, and for all 
sufficiently large n 

Pr( An(E, a) = f E (m) \m^-M n ;E^ C(l n ); a «- E(m) ) < p E + ^. (2) 

Notice that p E implicitly depends on n, because E depends on n. Notice also that we quantify 
over message spaces in order to take into account all possible probability distributions on the 
messages. 

3.5 Y-security (3-pass) 

Yao's definition [8] is inspired by information theory, but its context differs from classical infor- 
mation theory in that the communicating agents, A(lice) and B(ob), are limited to probabilistic 
polynomial-time computations. 

An intuitive explanation of Yao's definition is the following: A has a series of n k messages, 
selected from a probability space known to both A and B, and an encryption of each message. She 
wishes to transmit enough bits to B so that he can (in polynomial time with very high probability) 
compute all the plaintexts. A cryptosystem is Y-secure if the average number of bits A must send 
B is the same regardless of whether B possesses a copy of the ciphertexts. 

We now make this notion precise, first by defining "Alice and Bob," and then eventually 
defining Y-security itself. 

Let M = {M„} be a sequence of message spaces. Each M„ is {0, l} n with a fixed probability 
distribution. (Note that an information theorist would consider M to be a sequence of sources.) 

Let e{n) be any function that vanishes faster than n~ c for all positive c. 

For the sake of compactness of notation, the expression m will denote a particular series of n k 
messages. That is, m stands for mi,m2, . . . ,m,i. 

Let / be any positive function such that f(n) < n. Intuitively, /(n) is the number of bits per 
message that A must transmit to B in order for B to recover the plaintexts. Recall that all the 
messages in M n have length n. 



387 



Definition An f(n) compressor/decompressor pair (hereinafter c/d pair) for M is a pair of 
families of probabilistic polynomial-size circuits, {A n } and {B n }, satisfying the following three 
properties for some constant k and all sufficiently large n: 

1. "B n understands An" 

Pr(m = y\ mi <- M n ; m„* <- M n ; /? <- An(m); (3) 

y-5„(/?)) = l-0( £ (n)). 



2. u A n transmits only /(n) bits per message. 
'101 



Ex 



rri! <- M n ; . . . ; m„* <- M„; /? <- A n (m) 



< f(n). (4) 



3. "The output of A n can be parsed." 

For all polynomials Q there exists a probabilistic polynomial-time Turing machine S* 5 such 
that S* 3 takes as input n and a concatenated string of Q(n) /3s, each of which is a good 
output from A„, and separates them. That is, its input is /?i/3 2 . . . /?q(„) and its output is 
/?!#&# • ■ ■ ##3(n)- We require that 

Pr(5 Q correctly splits ftft . . . )3 Q(n) ) = 1 - 0(e(n)). (5) 

Remark: The requirement that S* 5 exist is a technical requirement. It creates a finite analogue 
of classical information theory's requirement that messages be transmitted one bit at a time, in 
an infinite sequence of bits. 

We say that the cost of communicating M is less than or equal to f{n), in symbols C(M) < 
/(n), if there exists an f(n) c/d pair for M. 

We define C(M) > f(n) to be the negation of C(M) < f(n) — that is, any circuits "commu- 
nicating M" must use at least f(n) bits. The definition of C(M) = f(n) is analogous. 

Let C be a cryptosystem. We define C(M \ Ec(M)), the cost of communicating M given 
encryptions from C in a manner analogous to C(M). The only difference is that now both A„ and 
B n also get E and the n k values of some encryption function E € [^(1")] as inputs. That is, for 
this definition we must rewrite Equation 3 above to read: 

Pr(m = y | mi <— M n ; m„* <- M n ; E <- C(l n ); (6) 
ai *- E(mi); . . . ; a„t <- £(m„ k ); 
P*-A n (E,rn,5y,y*-B n (E,j3,a)) = 1 - 0( £ (n)). 

An analogous change must also be made to Equation 4. 

Notice that for this definition, the probabilities involved must be taken over the different 
choices of E from C as well as everything else. 

Definition Let C be a public-key cryptosystem. Fix a sequence of message spaces M = {M n } 
(and thus the probability distribution on each M n ). We say that C is Y-secure with respect to M 
if 

C(M) = C(M | E C {M)) + 0(e(n)). (7) 
We say that C is Y-secure if for all M, C is Y-secure with respect to M. 
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3.6 The original definitions vs. ours 

As we pointed out in the introduction, we made minor changes in cryptographic scenario from 
[5] and [8]. Here we will spell out what those changes are and why they were made. 

Changes to Goldwasser and Micali's Definition 

There are two ways a cryptosystem (the server that generates encryption/ decryption algorithm 
pairs) can achieve security: 

1. The cryptosystem gets a description of a message space M (and thus its probability dis- 
tribution) as one of its inputs and will output an encryption/decryption algorithm pair to 
securely encrypt M. 

2. The cryptosystem is told nothing about the message space. The encryption algorithms it 
outputs are supposed to be secure for every possible message space. 

We will call the former cryptosystems adaptive and the latter oblivious. 

Goldwasser and Micali consider adaptive cryptosystems for both of their definitions of secu- 
rity [5]; Yao doesn't make it clear which type of cryptosystem he is assuming for his definition 
of security [8]. We believe it makes more sense to consider oblivious cryptosystems, for both 
theoretical and applied reasons. 

The theoretical reason for preferring oblivious cryptosystems is that all three definitions of 
security are equivalent. (See Section 4.) This is a desirable property that fails to hold for adaptive 
cryptosystems, as we will show in the next section. 

The practical reason for preferring oblivious cryptosystems is that, although it is certainly 
conceivable that having knowledge of the message space would allow one to design a better 
encryption algorithm, cryptographers have in fact normally tried to design cryptosystems that 
are secure for all message spaces. For example, consider the cryptosystem based on arbitrary 
trapdoor predicates proposed by Goldwasser and Micali [5]. Although they only considered 
security in the adaptive cryptosystem sense, their cryptosystem is in fact secure in the stronger, 
oblivious sense. 

Changes to Yao's Definition 

In [8], Yao assumes deterministic private key cryptography, but the definition is immediately 
extended to probabilistic public- key cryptography. 

Yao defines the compressor A and decompressor B to be Turing machines, not circuits. 
We have switched to circuits because it is not clear that there are any secure cryptosys- 
tems with respect to probabilistic Turing machines. It might be that one can always achieve 
greater polynomial-time compression given the ciphertext simply because having a shared ran- 
dom (enough) string (in this case the ciphertext!) helps. If it does help, however, having made the 
compressor and decompressor nonuniform circuits, we can always hardwire in a shared random 
string of bits. 
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3.7 Inequivalence of the original definitions 

In this section, we point out that, for adaptive cryptosystems, GM-security is a notion stronger 
than either semantic security or Y-security. We do this in the following two claims, each supported 
by an informal argument. These claims can be easily transformed to theorems after formalizing 
the discussed security notions in terms of adaptive cryptosystems, a tedious effort once we have 
realized that the adaptive setting is not the "right" one. 

Claim 1 If any GM-secure adaptive public-key cryptosystem exists, then there exist adaptive 
public-key cryptosystems that are semantically secure but not GM-secure. 

Let C(-, •) be any GM-secure (and thus semantically secure) adaptive cryptosystem. We'll con- 
struct a C(-, ■) that is still semantically secure, but is not GM-secure. 

C behaves identically to C for all message spaces, except for the message space {0,1}" with 
uniform probability distribution. In this case, C runs C to compute an encryption algorithm E, 
and then outputs the algorithm E' defined by: 



C is clearly not GM-secure, because, for the special message space described above, there is 
a message, 0", which is easily distinguished from other messages by its encryption. However, C 
is still semantically secure. The message 0" has such a low probability weight that it won't give 
an adversary any significant advantage — on average — in computing a function of the plaintext on 



Claim 2 If any GM-secure adaptive public-key cryptosystem exists, then there exist adaptive 
public-key cryptosystems that are Y-secure but not GM-secure. 

We construct exactly the same C as we did for the previous claim. C is of course not GM-secure. 
However, the "weak message" has such low probability that it basically doesn't affect the average 
number of bits necessary to communicate messages from the message space. Thus C is Y-secure. 



4 Main Results 

GM-security, semantic security, and Y-security are all equivalent. We have chosen to prove 
this equivalence by showing that GM-security is equivalent to Y-security and that GM-security 
is equivalent to semantic-security. In this extended abstract, we simply state our theorems. 
The proofs may be found in the full paper. In fact, we prove only three of the four necessary 
implications. The proof that GM-security implies semantic security may be found in [5]. 




(8) 



input the ciphertext. 



□ 



□ 



Theorem 1 Let C be a public-key cryptosystem. IfC is semantically secure, then C is GM-secure. 
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The proof of this theorem is quite simple. The key idea is that if a cryptosystem is not GM- 
secure, then there exist two messages, m t and m 2 , which we can easily distinguish. If we make a 
new message space in which these are the only messages, then given only a ciphertext, one has 
a better than random chance of figuring out which of the two plaintext messages this ciphertext 
represents. 

Theorem 2 Let C be a cryptosystem. If C is Y-secure, thenC is GM-secure. 
Theorem 3 Let C be a public-key cryptosystem. If C is GM-secure, then C is Y-secure. 

5 One-Pass Scenarios 

In this section we present the proper definitions for one-pass cryptography, and then go on to show 
that these definitions are all equivalent to one another. (They are not equivalent to the three- 
pass definitions.) These definitions are all considerably more complicated than the analogous 
definitions for the three-pass scenario. 

5.1 GM-security (1-pass) 

As discussed above in Section 2.2, for a one-pass cryptosystem, we must change from requiring 
security "for all messages m," to requiring security for every message m that is efficiently com- 
putable on input the encryption algorithm alone. In order to do this, we introduce an adversary 
called a message finder. 

A message finder is a family of polynomial-size probabilistic circuits F = {.Fn(-)} each of which 
takes the description of an encryption algorithm as its input and has two messages of length n 
as its output. Intuitively, on input E, F n tries to find m 0 and mi such that it's easy for a fellow 
adversary (a line tapper) to distinguish encryptions of mo from encryptions of mi. 

Definition Let C be a public-key cryptosystem. C is GM-secure (one-pass) if for all message 
finders F, line tappers T, and c > 0, for all sufficiently large n, 

Pr(T„(£,m 0 ,m,,a) = m | E «- C(l n ); m 0 , m, <- F n (E); (9) 

m *— {m 0 , mi} ; a *— E(m)) < -+n _c . 



5.2 Semantic Security (1-pass) 

To change the definition of semantic security to fit the one-pass scenario, we need to introduce 
something like the message finders of the previous section. For semantic security, however, we're 
concerned not with finding two "weak" messages, but rather with the probability distribution of 
the entire message space. Thus our second adversary will not pick out particular messages, but 
instead set the probability distribution of the message space. Furthermore, we now explicitly give 
the other adversary a description of that probability distribution. 
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A message space enemy is a family of polynomial-size probabilistic circuits B = {S n (-)}. 
Each B n takes the description of a encryption algorithm as its input, and outputs the description 
of a probabilistic Turing machine N(). N outputs elements of {0,l} n with some probability 
distribution. 

As in the three-pass definition, we let V be any set and let T = {/f : M n — * V \ E £ [C(n)]} 
be any set of functions. Again set pjy to be the probability of the most probable value for /(m); 
set pf = max{E m6/ ji-' M Pr„(m) | v 6 V). 

Definition Let C be a public-key cryptosystem. C is semantically secure if for every message 
space enemy B, family of polynomial-size probabilistic circuits A = {A n (-, -, -)}, and c > 0, for all 
sufficiently large n 

?r(A n (E, N, a) = /„ E (m) | E «- C(l»); N «- B n (£); ^ (10) 

m 4- iV(); a JS(m)) < Pn + 

5.3 Y-security (1-pass) 

The changes that must be made to the definition of Y-security are completely analogous to the 
changes we made to the definition of semantic security. 

5.4 Equivalence 

The proofs that the three definitions of security are all equivalent are quite similar to the proofs 
for the three-pass case. 
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Abstract 

This paper looks at a collection of especially simple conventional cryptosystems that use a very large 
blocksize. One variation uses a single xor randomization followed by a single bit permutation. Tight upper 
and lower bounds are obtained on the number of bits of matching plaintext/ciphertext needed to break the 
systems. These results follow from two interesting combinatorial theorems. The cryptosystems are not 
practical because the number of bits above is about the same as the keysize. We can make the systems 
practical by introducing key-dependent pseudo-random numbers, though we then lose any proofs of the 
difficulty of cryptanalysis. 

1. Introduction. 

Recent work in cryptography has focused on proving that the difficulty of breaking a cryptosystem is 
equivalent to the difficulty of solving some other mathematical problem; for example, the problem of 
factoring composite integers. 

We have been investigating two other approaches to conventional cryptography: 

t Very simple encryption/decryption algorithms - perhaps so simple that one can prove average-case 
lower bounds [Mas85] [Wag86]. 

• Very complex encryption/decTyption algorithms — perhaps so complex that mathematical analysis is 
not feasible [Wol85]. 
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This article considers the first approach — looking for simple algorithms. To compensate for the 
simplicity of the algorithm we propose using a very large blocksize, or even encrypting an entire file at 
once. We also use randomization. 

As an example, we present a code that uses one randomization step and one bit-permutation with a 
blocksize in the range of IK to 1M bits. We present the simple motivating examples and their 
generalizations in Section 2. Section 3 looks at cryptanalysis of these various systems. We are able to 
obtain tight bounds on the number of plaintext/ciphertext pairs needed to break the systems. These bounds 
show exactly how much matching plaintext/ciphertext is needed to break the system, but the systems 
investigated in Section 3 are not at all practical. In fact, the keysize must be very large - equal roughly to 
the amount of information that must be transmitted before the system can be broken. Finally, Section 4 
considers several practical variations using pseudo-random numbers. The pseudo-random number 
algorithm is not assumed to be at all secure. 

Another example of this basic approach is considered in [Wag 86]. Here in what might be called global 
randomization, we encrypt an entire relation of a relational database as a unit 



2. The Rip van Winkel cipher and generalization. 

2.1. The Rip van Winkel cipher. 

An especially simple though impractical cipher called the Rip van Winkel cipher was recently introduced 
[Mas85]. It is interesting for a provable lower bound on the average amount of computation needed to 
break the system. The system is illustrated in Figure 1. 
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Figure 1. The Rip van Winkel cipher. 
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This cipher has the following interesting properties: 

t The only secret is the delay length, a key-dependent number from 0 to the maximum delay. 

• There is a provable average-case lower bound of 2*lN comparisons needed to break the system, 
where N is the maximum delay length. 

• Encryption and decryption require only a single xor per bit. 

• The delay hardware must contain buffer storage. 

• The system is completely impractical. 

The rest of this paper looks at generalizations of this cipher. 



2.2. Pseudo-random selection from queues. 



During a study of randomization techniques [Wag85], we looked at ways to generalize the concept of 
concatenation to work with bit streams. One method employed a pseudo-random bit-sequence to control 
selection from two bit streams; the first, a random stream and the second, a randomization of a message 
stream (see Figure 2). 
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Figure 2. Pseudo-random selection from queues. 
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It is interesting that this system is a generalization of the Rip van Winfcel cipher of Section 2.1. In fact, 
one can take P = "01010101 . . ." and initialize Queue 2 to hold 0 - 20 years worth of true random bits. 

Section 2.3 and 2.4 consider further generalizations of this system, while Sections 3.1 and 3.3 give 
cryptanalytic attacks on the generalizations. 



23. Rip van Winkel in RAM. 

In implementing some version of the Rip van Winkel cipher, efficiency considerations almost force one 
into the use of RAM storage. Once RAM storage is chosen, one might as well plan to use arbitrary 
locations within RAM. This leads to the type of generalization we consider in this section. 

Start with m plaintext bits P,, P 2 P m and m true random bits R !t R 2 ,..., R m . Use a RAM buffer 

C of size n = 2m. Initially load C with 

C = R 2 , R m , R, e p,, R 2 e P 2 , ...,R m © P m ). 
Then apply an arbitrary permutation of these n bits. This permutation is the encryption/decryption key, 
requiring nlog 2 /i bits of storage in the obvious represention. 

Notice that any pair of bits R i and R { ® P- is a two-bit randomization of P ; , so that the xor of these two 
yields P^ There is nothing that distinguishes the /? ; ® P t bit from the R i bit 

This is a randomized cryptosystem. There are n\2 nrz distinct encryption functions and n\2~" a distinct 
decryption functions. The average number of bits needed to represent a decryption key is 

log^n!^) 

or approximately (using Stirling's formula) 

nXog-p - nlog 2 e - (l/2)n + (l/2)log 2 n. 

Thus we could represent the decryption key with slighdy fewer than the nlog 2 n bits needed in just listing n 
addresses, but any gain would go asymptotically to zero as n increases. 

Note that there are 

n\ 

(n/2)! 2 nl2 

ways to choose pairs of bits, where each pair represents a randomization of a plaintext bit. For each choice 
of pairs, there are (n/2)! permutations of the pairs, giving nl2' n/z decryption functions altogether. 
Cryptanalysis of this cipher will be considered in Section 3.3. 
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2.4. The matrix cipher. 

Suppose in the previous cipher we wish to protect against chosen plaintext attacks. We could add an 
extra randomization step, in which one xors the plaintext with new .random bits before carrying out the 
encryption of Section 2.3. The extra random bits would be concatenated onto the ciphertext. More 
generally, we could think of xoring triples together - two random bits and one plaintext bit — before 
applying the permutation. From here it is natural to think of xoring general subsets of bits. This leads to 
the general form 

KC = P, 

where 

• P = (P) is a mxl matrix of plaintext bits, 

• C = (Cp is an nxl matrix of ciphertext bits, 

• K = (ATy) is an mxn matrix of key bits, 

• n>m, 

• all arithmetic is over GF(2), and 

• the matrix K has rank n. 

The matrix AT is the secret key. For encryption, one solves m equations in the n unknowns C v C 2 , 
C n . For decryption, just multiply K by C. If n>m, then encryption is randomized and non-linear, but 
decryption is a linear transformation. We are picturing n in the range from IK to 1M bits. Assuming 
n = 2m, the keysize (size of matrix K) will be in the range from 500K to 500000M bits. Note that the Hill 
cipher [Den82] is a special case of this when n = m. 

For cryptanalysis of this system, refer to Section 3.1. 

3. Cryptanalysis -- upper and lower bounds. 
3.1. The matrix cipher. 

It is easy to break this system using enough known plaintext/ciphertext pairs. Suppose we have I 
ciphertexts C ; , C 2 , C ; and corresponding plaintexts P : , P 2 , P,. Write the ciphertexts as an nxl 
matrix. We will be able to break the system once this matrix has rank n. Assuming the entries of {C l , C 2 , 
. . ., C ; ) are random, Appendix I gives probabilities for the matrix to have rank n. 

Theorem. Given n known plaintext/ciphertext pairs and assuming random ciphertexts, the probability 
of being able to break the system is 0.288.... After n + 10 pairs, the probability is 0.999.... 

See Appendix I for probabilities of being able to break the system after n + i known plaintext/ciphertext 
pairs, ( = 0, 1, 2, .... 
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We can also state a lower bound. 

Theorem. We must process at least m plaintext/ciphertext pairs on the average in order to break the 
matrix cipher. 

Proof. This follows from an information theory argument. The keysize is mn. If m = n, only 29% of 
all matrices can serve as keys, but the percentage tends rapidly to 1 as n gets greater than m (see Appendix 
I). Thus the number of bits needed to represent the key is at least mn - 2. Each chosen of known 
plaintexl/ciphertext pair adds at most n bits of information about the key. Thus m pairs must be processed 
before cryptanalysis is possible. 



3.2. Bit permutations. 

Assume m = n and restrict to ciphers that are just permutations. Thus the matrix £ is a permutation 
matrix - exactly one 1 in each row and column. 

Theorem. We can always uniquely determine a permutation of m bits using riog 2 m1 chosen plaintext/ 
ciphertext pairs, and no fewer number of pairs will suffice to uniquely determine a permutation. 

Proof. The proof that riog 2 ml pairs will suffice is very simular to the Hamming code construction. 

Next we show that at least [log 2 /nl pairs are required. Suppose we have fewer than riog 2 ml plaintexts, 
say k of them. For each i, 1 <, i <. m, regard the <** positions of each plaintext as a it-bit number. There are 
m such numbers, but fewer than |"log 2 ml bits. Thus we do not have enough bits for each of these m 
numbers to be distinct In other words, there exist positions (' and j such that each of the k plaintexts have 

the same value at i and j. Then given these k plaintexts and the corresponding ciphertext, we cannot tell 
whether the permutation leaves i and j fixed, or interchanges i and j, or does something more complex with 
positions f" and j. Thus the permutation is not uniquely determined, completing the proof. 

It is interesting to note that we lose guarenteed security just as we finish transmitting mlog 2 m bits of 
plaintext, and mlog 2 m is the keysize. So as we might expect, we would be better off just using a one-time 
pad. Later we will attempt to refine examples like the one in this section into a practical cryptosystem. 

Suppose we have known plaintext/ciphertext pairs available, rather than chosen pairs. 

Theorem. Let P mjc denote the probability that a permutation of m bits is uniquely determined by k 
random known plaintext/ciphertext pairs, i.e., the probability that k pairs will suffice to break the system. 
Then P mjc is the same as the number p(m, 2*) of Appendix I, the probability that m k-bit numbers will be 
distinct. In particular P^ > 0.606 for k > 2Tlog 2 ml, and P^ > 0.9995 for k S 2Tlog 2 ml+ 10. 

Proof. From Appendix I, once you believe that the m A-bit numbers must be distinct to uniquely 
determine a permutation. 
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3-3. The Rip van Winkel cipher in RAM. 

Refer to Section 2.3 for the encryption/decryption algorithms. 

Let us mount a chosen plaintext attack on this system using P = (0 0 ... 0), i.e., all m bits equal to 0. 
Repeated attacks will yield corresponding ciphertexts C p C 2 , each n = 2m bits long. For a given C ; ; 
each pair R t and R. © P { of bits will be the same, either both 0 or both 1, whereas all other pairs have 
probability 1/2 of differing. For a given bit position i (1 <, i < n) and for a given ciphertext C,, we expect 
half of the other positions j will be eliminated as candidates for the position paired with i. Thus intuitively, 
for fixed bit position /', we expect with probability 1/2 to have identified the unique position paired with i 
after processing log 2 m of the C v For all bit positions i, we intuitively expect with probability 1/2 to have 

identified all pairs after processing 21og 2 /n of the C v This intuition turns out to be correct, as we show 
below. 

We need an additional logjm chosen plaintext/ciphertext pairs to uncover the permutation of the pairs, 
using a variation of the Hamming code. 

Theorem. The system described here can be broken with probability at least 0.606... using 3riog 2 ml 

chosen plaintext/ciphertext pairs. With 3l"log 2 m\+ 10 pairs, the probability of breaking the system is 
greater than 0.9995. 

Proof. Let Q t be the M-bit vector obtained by applying the inverse of the encryption permutation to C ( . 
Then g, consists of a random m-bit string followed by the identical m-bit string. Suppose we have k such 
n-bit vectors. Look at the columns of the g, rather than the rows, so that we have m random *-bit quantities 

followed by a repetition of these. By an argument simular to that used for the Hamming code, these k 
ciphertexts will uniquely determine the pairings of bit positions if and only if the m fc-bit numbers are all 
distinct. Thus from Appendix I, the probibility of uniquely determining the pairings becomes 0.606. . . for 
k = 2Tlog 2 ml The remainder of the proof is the same as the method for breaking a permutation cipher. 

If we look at the proof, we see that for this type of attack we cannot do any better. 

Theorem. Assuming we first determine the bit pairings using a chosen plaintext of all zero bits or all 
one bits and then the permutation of pairs, 3l~log 2 ml chosen plaintext/ciphertext pairs are necessary and 
sufficient to have probability 0.606. . . of breaking this system. Exact probabilities for breaking the system 
using this attack with fewer or with more chosen plaintext/ciphertext pairs are given in Appendix I for 
m = 2 10 and m = 2 20 . 

We are not able to prove the lower bound for an arbitrary chosen plaintext attack on this system, though 
we believe that no attack uses fewer pairs than the one we presented. 

Notice that it seems much more difficult to break this system given only known plaintext/ciphertext 
pairs — particularly if the plaintext contains roughly equal number of zero and one bits. In fact, the only 
attack we know of in this case is the one of Section 3.1, requiring at least n known plaintext/ciphertext 
pairs. 
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4. Practical variations using pseudo-random numbers. 

4.1. Rip van Winkel in RAM. 

For a RAM buffer of size n = 1M bits, the Rip van Winkel in RAM cipher introduced and studied in 
Sections 2.3 and 3.3 has two fatal flaws: 

» The keysize is relatively large, namely nlog 2 n, or 20M bits = 2.5M bytes for n = 1M. 

t Relatively few chosen plaintext/ciphertext pairs are needed to break the system with high probabilty, 

namely 31og 2 « + 10, or 70 for n = 1M. (However, it appears that known plaintext attacks would 

require many more pairs.) 

We can make these difficulties go away by 

• generating the bit permutation pseudo-randomly, using a key-dependent pseudo-random number 
generator, and 

• changing the key to the pseudo-random number generator with each encryption step. (We can use 
some of the random bits used to encrypt the plaintext for the key for the next encryption.) 

Several difficulties then emerge: 

• We must choose a sutable key-dependent pseudo-random number generator. 

• We no longer have a required 31og 2 rc chosen plaintext/ciphertext pairs in order to break the system 
In fact, a single known plaintext attack might succeed using a brute-force approach and arbitrarily 
large computing resources. 

Though we no longer have any provable security, we feel that almost any pseudo-random number 
generator with a long key and very long period should provide good security. For example, the Tausworth 
generator in [Bri79] with n = 521 has key (=seed) 521 bits long and period of 2 52! 64-bit numbers. Since 
there is a key change at each stage, the opponent effectively has just one plaintext/ciphertext pair to work 
with. Best for an opponent would be the ciphertext corresponding to a chosen plaintext of all 0 bits (or all 1 
bits), and this might be sufficient information to uniquely determine the key. However, the information is 
in a very diffuse and vague form that should make anything but brute-force cryptanalysis difficult. 
Basically, this information breaks the buffer into two subsets, and bit pairings are known to be confined to 
one or the other subset. 

The actual algorithm is very simple to state: 
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(* Encryption algorithm. *) 
(* initial load of buffer *) 
for i := 1 to m do 
begin 

C[i] := truerandom; 
C[i+m] := C[i] xor />[/] 
end; 

(* pseudo-random permutation *) 
for i := 7i downto 2 do 

interchange ( C[i], C[pseudorandom ( key, i )] ) 

Here C and P are bit arrays of ranges respectively 1 .. n and 1 .. m, where n = 2m. The procedure 
"truerandom" returns a true random bit and the procedure "pseudorandom" returns an integer in the range 1 
.. i. The permutation algorithm is described in [Knu81], and it is easy to see that if this algorithm is 
supplied uniformly distributed random integers, then the permutations generated are also uniformly 
distributed. Notice that between the two halves of the algorithm, the key for the next encryption would be 
extracted from the lower half of the buffer. 

This algorithm seems interesting for its simplicity. It requires very few computational resources per 
plaintext bit: 1 true random bit, 1 call to the pseudo-random number generator, 1 xor, and several accesses 
and stores. Thus a larger buffer size requires no extra computation per message bit, though a larger buffer 
means that a longer pseudo-random integer must be returned. (Of course a larger buffer increases the 
overhead for short messages, since the entire buffer must still be sent.) 

Decryption can be carried out in general without much difficulty (see [Knu73] for an algorithm for 

inverting a permutation). Decryption becomes especially easy if the pseudo-random number generator will 
run backwards. 

4.2. Other practical variations. 

Many variations and extensions of the basic system presented in Section 4.1 are possible. If we have 
fewer than m = n/2 message bits, we can fill up the buffer with true random bits. We can also enlarge the 
buffer size to fill up the channel. Finally, instead of xoring just two bits together, we can xor as large a 
subset as we can afford computationally. Thus we can plan to use up the resources of personal workstation 
in order to enhance security. 

Consider the following extreme case with n > m, a generalization of the system in Section 4. 1 : 

(* Encryption — general form *) 
(* initial load of buffer *) 
for i :~ 1 to n-m do 
C[i] := truerandom; 
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(* xor of subsets *) 
for i := 1 to m do 
begin 

PR[1 .. (n-m+i -1)] := pseudo-random bit stream; 
C[n-m+i ] := P[i] xor (PR[ 1 .. (n-m+i -1) ] 

inner product C[ 1 .. (n-m+i -1) ] 

end; 

(* pseudo-random permutation, as before *) 
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Appendix I. Probability that m fc-bit random numbers are distinct. 



Choose m A-bit numbers at random, k 2: riog 2 ml Let p(m, 2*) denote the probability that all m of the 
numbers are distinct. (If k < riog 2 ml, then it is impossible for them all to be distinct.) More generally, 
consider p(m, AO, the probability of picking m distinct items out of N, where the selection is done at 
random with replacement It is easy to see that 

p(m,A0 = ri(l-i/A0= . 

i=0 (N-m)\N m 

Values of p(2 10 , 2*) and PC2 20 , 2*) are tabulated below for various jfc. Note that for increasing k, p(m, 2*) 
first gets greater than 0.5 for k = 2[log 2 m]. As k becomes large, the value p(2 i/2 , 2*) tends to 
0.6065306597.... 

The entries in the table were all calculated using the exact formula. However, we can setm = aN and 
use Stirling's formula to obtain the approximation 



V(m,N) = p(aN,N)< 



(1 - a)* 1 "") 



N 

d-a)- ,/2 . 



Though it is only an approximation, this formula is accurate enough to give every digit of every entry in the 
table, except for the entry p(2 10 , 2 10 ). 

As shown Table 1, two lists of p(m, 2*) values for two different values of m are nearly the same when 
shifted so that the entries k = 2Tlog 2 m1 are lined up. This property follows from the approximation 

p(2m, 4A0 = p(m, AO, 

which is quite accurate as long as N is not too smalL Other interesting approximate recurrences include 

p(m,2W) = p(m,A0 1/2 
p(2m,A0 = p(m,A0 4 

and more generally, 

p(2 a m, 2*A0 = p(m,A0 4V2Ai '. 

To prove one variation of these recurrences, use the formula for p(aN, N) with the (1 - a)" 1/2 part dropped 
out (accurate for a small). Then p(2ouV, 2N) = p(a(2A% 2A 7 ) = p(oaV, N) 2 , so that 



p(2m, 2A0 = p(m, AO 2 . 
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m = 2 10 =1024 


m = 2 20 = 1048576 


K 


P(2 , 2 *) 


p(2-"i 2 * ) 


k 


10 


1.5371837 E -443 


3.7069749 E -223 


30 


15 


0.00000009652 


0.00000011251 


35 


16 


0.0003242093 


0.0003354515 


36 


17 


0.018196318 


0.018315522 


37 


18 


0.13524703 


0.13533519 


38 


19 


0.36799933 


0.36787955 


39 


20 


0.60672822 


0.60653085 


40 


21 


0.77895928 


0.77880093 


41 


22 


0.88259566 


0.88249699 


42 


23 


0.93946801 


0.93941311 


43 


24 


0.96926219 


0.96923326 


44 


25 


0.98451130 


0.98449645 


45 


30 


0.99951231 


0.99951183 


50 


35 


0.99998475 


0.99998474 


55 



Table 1. 



n-m 


Probability that random m xn matrix over GF(2) 
has rank m (accurate to 12 digits for m > 40) 


A 


a ^ooTOOAAeAOiC 
0.288788095086 


1 


0.577576190173 


L 


A T7A1 A1 COiCOm 

0.77010158o«y7 


5 


A OOA1 1 £/W\1 1 1 

u.oouiiouyyjii 


4 


0.938790505932 


5 


0.969074U7UO39 


6 


A CSOA A C£ 1 AO*7 .1 C 

0.984456198745 


7 




8 


A AQ/CAAQQ-IO/O^ 


9 


0.998048146211 


10 


0.999023755347 = 1 - 0.976244 E -3 


20 


1 - 0.953674 E -6 


30 


1- 0.931322 E -9 


40 


1- 0.909494 E -12 


50 


1- 0.888124 E -15 



Table 2. 



Appendix II. Probability that an mxn matrix over GF(2) with random entries has rank m. 



Theorem: Consider an mxn (n 2: m) matrix over GF(2) with all entries randomly chosen. For m = n, 
the approximate probability that the matrix is invertible is given by the constant q 0 = 
0.28878809508660242. . . (The approximation is accurate to about 12 digits for m £ 40.) More generally, 
for n > m, the approximate probability that the matrix has rank m is given by Table 2. (The probability of 
rank m is very roughly 1 - MyQK.*-* , \) 

Proof: Consider first the mxm case. There are 2 m " 2 matrices altogether over GF(2). Let F(m) denote 
the number of invertible matrices. To calculate F(m), we just count the number of ways to build up m 
linearly independent rows. This gives F(m) = (2 m - 2°)(2 m - 2 1 )(2 m - 2 2 ). . . (2 m - 2 mA ). ¥(m) satisfies the 
recurrence F(m) = (2 2 "- 1 - 2""- 1 )F(m - 1). Since G(m) = 2"* 2 satisfies G(m) = 2 2m - , G(m - 1), we suspect 
that F(m) looks like 2 m * 2 . 

F(m) 

= 1/2 * 3/4 * 7/8 * 15/16 * ... * (2 m - \)/2 m . 

The corresponding infinite product is given by a special Theta function known as a Q-function. 

oo 

2 0 (?) = II (1 - q 2 ™), where we want Q 0 (l/v2). 

m=l 

This product converges rapidly to q 0 = 0.28878809508660242.... Thus F(m) is approximately q 0 * 
(The approximation is accurate to 3 digits when m = 10, 6 digits when m = 20 and generally about 0.3 * m 
digits.) The other figures in the table of the theorem are obtained by dropping the initial n - m terms of the 
infinite product. 
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Abstract 

A class of periodic binary sequences that are obtained from the incidence vectors of hyperplanes 
in finite geometries is defined, and a general method to determine their linear spans (the length 
of the shortest linear recursion over GF(2) satisfied by the sequence) is described. In particular, 
we show that the projective and affine hyperplane sequences of odd order both have full linear 
span. Another application involves the parity sequence of order n, which has period p n — 1 and 
linear span vL(s) where v = (p n — l)/(p — 1) and L{s) is the linear span of a parity sequence 
of order 1. The determination of the linear span of the parity sequence of order 1 leads to an 
interesting open problem involving primes. 

1. INTRODUCTION. 

Binary sequences which satisfy recursions over GF{2) are easy to generate and have many 
applications in modern communication systems. If the recursions involved are linear, then the 
sequences can have several desirable properties, e.g., long periods, useful correlation properties, 
and balanced statistics. Binary sequences of maximum period 2" — 1 that are generated by 
linear recursions over GF(2) of degree n are called binary m-sequences of span n [lj. 

These linear recursive sequences suffer from one drawback: only relatively few terms of the 
sequence are needed to solve for the generating recursion; i.e., their linear span (the length of the 
shortest linear recursion over GF(2) satisfied by the sequence) is short relative to their period. 
Such easy predictability makes binary m-sequences unsuitable for some applications requiring 
pseudorandom bits. 
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In this paper, we consider a class of periodic binary sequences that are obtained from the 
incidence vectors of hyperplanes in finite geometries. From another point of view, these se- 
quences can be obtained from g-ary m-sequences of span n through a mapping p from GF(q) to 
GF{2), where q is a power of an odd prime. We show that the. linear span of these sequences is 
comparable to their large periods. In fact, the linear span of such a sequence S of period q n — 1 
is given by vL(s) where v — (q n — l)/{q — 1) and L(s) denotes the linear span of a sequence s 
of period q — 1. The binary sequence s is obtained by applying the defining mapping p of S to 
a listing of the nonzero elements of GF(q) according to the powers of some primitive element. 
If q is of moderate size, then the linear span of s is easily computed by the Berlekamp-Massey 
algorithm [2]. 

The next section introduces the notions involving the linear span of a sequence. Section 3 
describes the construction of the binary sequences obtained from finite geometries. Section 4 
establishes the upper bound of the linear span of these sequences, while section 5 shows that 
this bound is always attained. Finally, section 6 gives four examples of sequences obtained from 
finite geometries and their associated linear spans. These include the hyperplane sequences for 
both projective and affine spaces. One of these sequences, called the parity sequence, gives rise 
to an interesting open problem involving primes. 

2. THE LINEAR SPAN OF A SEQUENCE. 

This paper considers binary sequences and linear recursions over GF(2). All operations used 
are those of GF(2) unless otherwise stated. Let E denote the sequence shift operator: Es is 
the sequence with i ih term {Es)i = Sj+i. A sequence s = (so, •si, Si, -■■) satisfies a linear 
recursion of degree m if, for a ; - £ GF(2), 

m 

Si+m + ]T) a i s i+m-j = 0, I > 0. 
J = l 

This recursion can be expressed in terms of the shift operator, 

m 

(E m + Y^ a J Em ~ j ) s = °- 
J'=l 

The polynomial f(E) = E m + X^yLi a j-E m ~'' is called the characteristic polynomial of the 
recursion. If m(E) denotes the unique monic polynomial of least degree such that m{E)s = 0, 
then the linear span of 5, denoted by L(s), equals the degree of m(E); m(E) is called the minimal 
polynomial of s. If f{E)s = 0, then from the division algorithm, m(E)\f(E). In particular, if 5 
has period N, then [E N + \)s = 0, so that m(E)\E N + 1, and L(s) < N. 
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The linear span of a sequence is one measure of its predictability. Any "good" pseudorandom 
sequence must have large linear span relative to its period [3], [4]. If a sequence has linear span 
L, then its linear recursion can be determined from 2L successive elements of the sequence. The 
remaining elements then can be produced from the recursion. . 

3. SEQUENCES FROM FINITE GEOMETRIES. 

In this section, we give the construction of a class of periodic binary sequences that are 
obtained from finite geometries. Let q = p r , where p is an odd prime, and a be a primitive 
element of GF(q n ). The nonzero elements of GF(q n ) can be ordered using the primitive element 
a: {a* :i = 0,1, ...,q n — 2} = GF(q n )*. Elements of GF(q n ) can also be considered as points 
of an n-dimensional affine space, denoted by EG(n, q). We shall first establish the geometric 
structure of an affine space EG(n, q) defined by a g-ary m-sequence of span n. 

Let TV : GF(q n ) -> GF(q) be the trace function defined by Tr(x) = x + x* + ... + x^' 1 . It 
is well known that the sequence R — (J?,), obtained by R{ = Tr(a'), is a g-ary m-sequence of 
span n with period q n - 1. Furthermore, one period of R has the form jR = (T,0T, 2 T) 
where T is a g-ary vector of length v = (q n — l)/(g — 1), and /? = a" is the corresponding 
primitive element of GF(q)[5\. The sequence R partitions the elements of GF(q n )* into q 
subsets H*, a £ GF[q), where H* = {a'' : Ri = Tr(a') = a}. If we consider H 0 = H%U {0} and 
Ha. = H* for o / 0, then II = {H a : a 6 GF(q)} forms a parallel class of affine hyperplanes in 
EG{n, q). In general, corresponding to every cyclic shift E k R, k = 0, 1, v — 1, of R there is in 
EG(n,q) a corresponding parallel class of hyperplanes II W consisting of = {ce*~* : a* 6 
Ha.}, a e GF(q)*, and H^ k) = {0} U {a i ~ k : a* € H$}. Thus all parallel classes of hyperplanes 
in EG(n,q) can be obtained from R. 

We define periodic binary sequences, which are indexed by the elements of EG(n,q)\{0}, by 
considering the incidence vectors of subcollections of II* = {H a ■ a £ GF(q)*}. In particular, 
for I C GF(q)* and corresponding subcollection £/ = {H a : a 6 /}, the sequence S(Ej) has 
period q n — 1 and i th term, corresponding to a 1 given by 



then 5(Ej) has i ih term given by Si - pi(Ri). Note that points in H 0 are always mapped to 0 
in GF(2). For simplicity of notation, we shall use E and p to denote E/ and pj whenever / is 
understood. The purpose of this paper is to determine the linear span of S(Ej). 




0, otherwise. 




Equivalents, if p/ : GF{q) ->■ GF{2) is denned by 



f 1, if a £ / 
Pi {a) = \ 



{ 0, otherwise, 
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Example 1: For p = 3,n = 2 and primitive polynomial x 2 + x+ 2, the ternary m-sequence R 
of span 2 is given by 

R = (2 2 0 2 1 1 0 1) 
The parallel class of hyperplanes corresponding to R consists of 

H 0 = {0,a 2 ,a 6 }, 
Si — {a 4 , a 5 , a 7 }, 
H 2 = {a°,a\a 3 }. 

For I = {1,2},5(E/) = (01110111) has linear span 4. For I = {l},5(Ej) = (01000011) has 
linear span 8. 

4. UPPER BOUND ON THE LINEAR SPAN OF SEQUENCES FROM FI- 
NITE GEOMETRIES. 

For fixed n > 1,R = (Rq,Ri, i2 9 »_ 2 ) will denote an m-sequence of span n over GF(q). For 
any collection E of hyperplanes obtained from R, 5(E) = (So,Si,...,S<j»-2) will denote a binary 
sequence determined by E; i.e., Si = 1 if a* £ H a € E and 5,- = 0 otherwise. Although the 
sequence 5(E) depends on the choice of primitive polynomial, the results concerning its linear 
span will not. This is because any sequence obtained using a different primitive polynomial is 
related to 5(E) by a decimation by a value relatively prime to the period. 

We introduce an array operator A which takes any sequence X of period q n — 1 and arranges 
it into the (q — 1) by v array: 



MX) 



/ Xo X\ ... X v -\ \ 

X v X v +i ... X2V-1 



When applied to R, this operator produces the array A(R) with column » of the form 
(Ri,0Ri,...,l3 q - 2 Ri) = Ri(l,P,...,0 q - 2 ). The sequence (l,/?,/? 2 ,...,/? 9-2 ) is a g-ary m-sequence 
of span 1 and will be denoted by r = (r 0 , ri, ...,r ? _ 2 ). A binary sequence s(E) of period q — 1 
is obtained by applying p to each term of r, where p is the mapping from GF(q) to GF{2) 
determined by E. The main result of this paper is that the linear span L(5(E)) of 5(E) is given 
by vL(s(E)). The value of L(s(E)) is relatively easy to compute. 
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If Ri = 0, then column t of A(R) is the zero sequence 0. Otherwise Ri — p ei for some 
e,- £ {0, 1, ...,q — 2} and column i is E"r. In general, we define the shift sequence of R to be 
e — (eo,ei,...,e < j»_2) where e, = oo if Ri = 0 or JZ, = /3 S< if Ri ^ 0. Likewise, the finite terms 
of (eo,ei,'...,e q ~-2) give the shifts of the sequence s(£) occurring as columns of the (q — 1) by 
v array .A(S(E)). A(5(E)) contains columns of all zeros corresponding to the oo positions in 
(eo, ei,...,e„_i). By convention, we write E°°s = 0. 

Example S-. For p — 5, n = 3 and primitive polynomial x 3 + x 2 + 2 the p-ary m-sequence R 
of span 3 is given in its array form as 



A(R) = 



/ 0014120332224243340432042342201 \ 
0032310441112124420241021421103 
0041430223331312210123013213304 

Vo023240114443431130314034134402y 



If E = {H a :a=l (mod 2)} then 



A(S(E)) = 



^0010100110000001100010000100001^ 
0010110001110100000001001001101 
0001010001111110010101011011100 

V 00010001 1000 101 1 1 101 100101 10000 J 



t = (1,3, 4, 2), s(E) = (l, 1,0,0), and the first v = 31 terms of the shift sequence e are: 



(oooo0203ooll333232112oo213oo231233oo0). 



Throughout, let M(E) and m(E) denote the minimal polynomials of S(E) and s(E), respec- 
tively. We shall use the notation S and s to denote the sequences S(E) and 5(E) respectively 
whenever the collection E of hyperplanes is assumed. We begin to investigate the properties of 
M(E) and m(E), obtaining upper bounds on the linear spans of S and s. The weight vut(X) of 
a binary sequence X = (Xo,Xi, ...,Xn-i) is the sum of any N consecutive terms of X. Thus, 
{{E N + l)/(E + 1))X = {E N ' 1 + E N ~ 2 + ... + 1)X = {wt{X) (mod 2)). 

LEMMA 1. If E contains an odd number of hyperplanes, then tui(5(E)) = 1 (mod 2). If E 
contains an even number of hyperplanes, then wt[S(T,)) = 0 (mod 2). 

Proof. 

wt (S) = |E|( number of elements in a hyperplane). 

Since each hyperplane in an affine space EG{n, q) contains q n ~ x elements and q is odd, wt(S) = 
|E| (mod 2), and the result follows. | 
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THEOREM 2. If E contains an odd number of hyperplanes in EG{n,q), then the highest 
power of (E + 1) that divides + 1) divides M{E). 

PROOF. Since S has period q n - 1, M(E) divides + 1). But, 

+ + X ))s = ( w t(5) (mod 2)) = (1) 

and so M{E) does not divide (E qn ~ x + 1)/{E + 1). The result follows. | 
COROLLARY 3. If I! contains an odd number of hyperplanes, then 

(E + l) 2 \m{E). 

PROOF. Apply the theorem to the case n = 1, and note that since q is odd, [E + l) 2 \(E q ~ 1 + 
!)•■ 

Our next theorem establishes an upper bound on the linear span of the sequence S. 
THEOREM 4. M(E)\m(E v ) so that L(S(E)) < t>Z(s(E)). 

PROOF. We show that if m(E) = E il +E h + ... + E > k .where ;'i = 0, is the minimal polynomial 
of s, then m(E v )S = 0. For i e {0, 1, q n - 2}, 

(m(S")5),- = Si + Si+j 3V + ... + Si+j kU 

= [m(E)(Si,S i+v , 5, + (,_ 2 ) u )) 0 . 

If R { = 0", then (S r ,-,5 i+u ,...,5 i+( ,_ 2) „) = E'-s, and 

{rn{E v )S)i = (m(£)(jB ei a))o = (J5 ei m(.E;)s)o = CE ei 0) o = 0. 

If e, = oo, then (S<, S i+U , ...,5,- +( ,_ 2 ) u ) = 0, and certainly (m(E v )S)i = 0. Thus, m(E v )S - 0, 
so M[E)\m{E v ) and L(s) < degree m(E v ) = ^(degree m[E)) = vL(s). | 

Two questions naturally arise when determining the linear span of 5: 

(1) Is the bound in theorem 4 attained, that is, does L{S) = vL(s)7 

(2) What is L(s)? 

In the next section, we show that the answer to question 1 is always yes. Section 6 describes 
four particular choices of £ and the respective values of L(s). 
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5. LINEAR SPAN OF BINARY SEQUENCES OF FINITE GEOMETRIES. 

In the previous section we established the upper bound ((q n - — l))L(s(E)) on the 

linear span of the binary sequence s(E) obtained from affine space EG{n,q). Here, we show 
that this upper bound is always attained. In fact, we show that the minimal polynomial of 5(1!) 
is M(E) = m(E") where m(E) is the minimal polynomial of «(E). 

First, we group the terms of M (E) which have exponents congruent to the same value modulo 
v, and let M(E) be expressed as follows: 

M(E) = fo{E v ) + h{E v )E + ... + f v . 1 {E v )E v ~ 1 

where each fi(x) is a polynomial of degree di. The constant term 1 must appear in M{E) and 
so /o(i) / 0. We shall show that /,(x) = 0 for all t = 1, - 1. 

LEMMA 5. Iff 0 {E)s{H) = 0, then M{E) = m(E"). 

Proof. 

fo{E)s = 0 =► m(E)\f 0 (E) 

=> degree m(E) < degree fo{E) 

=> degree m{E v ) < degree fo{E v ) < degree M(E) 

By theorem 4, M{E)\m{E v ), so M(E) = m{E v ). | 

To show that the upper bound on theorem 4 is attained, we need to show that fo(E)s = 0. 
Involved in the proof are properties of the shift sequence e = (eo, «i, e,»_2) introduced in 
section 4. 

THEOREM 6. Let e = (eo,ei,...,e g »_ 2 ) be the shift sequence associated with the primitive 
polynomial f(x) which generates a q-ary m-sequence R of span n. Then any v consecutive terms 
of e contain exactly (g n_1 — l)f[q — 1) oo terms. 

PROOF. This is the number of zeros in any v consecutive terms of R. I 

COROLLARY 7. There are exactly q n ~ l finite terms in (eo,ei,...,e„_i). 
Proof, v - (g"- 1 - i)/(q - l) = q"- 1 . | 

In the following theorem, the elements {0,1,...,? - 2} are identified with the elements of 
l(q — 1), the integers modulo q — 1. We use the convention that if e, £ l(q — 1), then ej — oo = 
oo - e; = oo. 
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THEOREM 8. Let e be the shift sequence associated with the primitive polynomial f{x) 
which generates a q-ary m-sequence R of span n. For fixed k 6 {l,2,...,v — 1}, the list of 
differences (e.+t — e, mod (q — l) : i € {0, 1, v — 1}) contains each element ofl(q — 1) exactly 
g n_2 times. 

PROOF. See [6, theorem 2, but with m = 1]. The results in [6] are stated for the case q = 2, 
however, the proofs remain valid for any prime power q. | 



The next lemma establishes a relationship between the polynomials fi(x) and the sequence a. 

LEMMA 9. f 0 {E)s = {f 1 {E)+f 2 {E) + ... + f v - i {E)){E° + E + ... + E"- 2 )s. 

PROOF. For a polynomial f{E), applying f(E") to S is equivalent to applying f(E) to every 
v th term of S, that is, applying f(E) to columns of A(S). Since the i th column of A[S) is E ei s, 
the i th column of A(f{E v )S) is given by f(E)E ei s. Recall the convention that E°°s = 0. 

Now, for each k,0 < k < v — 1, consider the sequence E k S as represented by the array 
A(E k S). Every column i of the array now has a leading term Si+k- Hence, every column t of 
the array A(f k (E v )E k S) is given by f k {E)E' i+k s. Now, M{E}S = 0 implies that every column 
t in A(M(E)S) is 0, that is, for i g {0, 1, v - 1}, 



Recall that 



M{E) = f 0 {E v ) + h(E v )E + ... + / u _i(£")£' 



iv-l 



(fo{E)E Ci +f 1 {E)E' i+1 + ... + f v - l {E)E«+~')s = 0. 



For every »', with e,- -fi oo 



£ ei (/o(£) + /i(£)^ 



:i + ... + f v - 1 {E)E'' + - l ~ ei )s = 0 



if and only if 



{f 0 (E) + h(E)E 



Summing over i,0 < i < v — 1, such that e, ^ oo, we have 



+ ... + / u _l(£)£' 



-«))* = o. 




By corollary 7, the first sum contains q' 



terms, which is odd, thus 



Y, M E ) = ME) (mod 2). 
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By theorem 8 and since q n 2 is odd, for each k € {1,2, ...,v — l}, 

^2 f k {.E)E°^-« = f k {E){E° + E + ... + El' 2 ) (mod 2) 

where terms of the form E°°~ ei are ignored because E°°~ ei s = 0. Combining the above obser- 
vations, we have 

f 0 [E) S = (h(E) + h{E) + ... + f v ^(E)){E° + E + ... + E"- 2 )s. I 
THEOREM 10. M(E) = m(E v ) and so L(S(E)) = vL{s{T,)). 

PROOF. By lemma 5, it is enough to show that fo(E)s = 0, and by lemma 9 this is equivalent 
to showing (h(E) + ... + f^^E^iE 0 + E + ... + E*- 2 )s = 0. 

If S consists of an even number of hyperplanes, then wt(s) = 0 (mod 2); hence 
(E° +E+ ... + E q ~ 2 )s = [wt{s) (mod 2)) = 0 

and 

fo{E)s = 0. 

If the number of hyperplanes in E is odd, then wt(s) = 1 (mod 2). By lemma 9, 

(E + l)f 0 (E)s = [f x {E) + f 2 (E) + ... + h-i{E))(E + l)(wt(s) (mod 2)) 
= {fi(E) + f 2 {E) + ... + f v - 1 (E))0 
= 0; 

that is, m(E)\(E + l)fo[E). 

By corollary 3, (E + l) 2 |m(£)and so (E + l)\fo{E) and } Q (E) has an even number of terms. 
Similarly, theorem 2 states that (E + \)\M{E), so M[E) has an even number of terms, and 
this number is given by the sum of the number of terms in fo(E) and the number of terms 
in fi(E) + h{E) + ... + f v -i{E) (before mod 2 cancellation). At any rate, this implies that 
fi[E) + h{E) + ... + f v -i{E) has an even number of terms and f 0 {E)s = {fi{E) + h{E) + ... + 
f v -i{E))l = 0. I 
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6. SPECIAL CASES OF BINARY SEQUENCES. 

In this section we consider four particular choices of E, and analyze the linear span of each 
sequence. 

If E consists of all nonzero hyperplanes, that is, £ = n* = {H a • a ^ 0}, then the sequence 
5(11*) has period v and corresponds to the anti- incidence vector of a hyperplane in an (n — 1)- 
dimensional projective space PG(n — l,<j). In this case s = (l) and has L{s) = 1, so theorem 
10 states that the linear span of 5(IT*) is v. It is easy to see that the linear spans of a binary 
sequence X and its complement X differ by at most one. Since 5(11*) has period v and L{S(Tl*)) 
must divide v, L(S(n*)) = L(S(n*)) = v. 

The complement of 5(11*) corresponds to the incidence vector of projective hyperplane in 
PG(n — l,q). Projective codes with the incidence matrix of points and hyperplanes as parity 
check rules have been studied by coding theorists, and the rank of this incidence matrix over 
GF(p), where q = p r , has been obtained. 

THEOREM 11 [7] , [8] , [9] . For q = p r , the GF{p) rani of the incidence matrix of points 
and hyperplanes in PG(n - l,q) is 1 + ("~p±?~ 1 ) r . 

Each row of the incidence matrix is a shift of the sequence 5(11*). It is not hard to see 
that the rank of this incidence matrix over GF{2) is precisely the linear span over GF(2) of 
the sequence 5(11*). In the case when q = 2 r , the linear span (over GF{2)) of a projective 
hyperplane sequence can be obtained from theorem 11. Combining these observations we have 
the following theorem. 

THEOREM 12. Tie linear span of a projective hyperplane sequence of PG (n — 1 , q) is given 
by (q n - 1) l{q - 1) if q is odd and 1 + n r if q = 2 r . 

On the other hand, if E consists of only a single afflne hyperplane H in n*, then the sequence 
S(H) corresponds to the incidence vector of an affine hyperplane and has period q n — 1. The 
sequence s(H) corresponds to a sequence of all 0's except one 1 and has full linear span q — 1. 
Thus, by theorem 10, an affine hyperplane sequence of an affine space of odd order has full linear 
span. For affine spaces of even order results on the incidence matrix of points and hyperplanes 
of EG(n,q) apply. 

THEOREM 13 [7]. For q = p r , the GF(p) rank of the incidence matrix of points and 
hyperplanes in EG{n,q) is ( n ^ l ) r ■ 

Combining these facts, we have the following theorem. 
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THEOREM 14. The linear span of an affine hyperplane sequence of EG(n,q) is given by 
(q n - 1) if q is odd and (n + l) r if q = 2 r . 

If E consists of half of the hyperplanes in II*, say, E = {Hp : i = 0, 1, [q — 3)/2}, then 
the sequence s(E) is a binary sequence with (q — l)/2 ones followed by {q — l)/2 zeros, which 
has linear span (q + l)/2. Thus, by theorem 10, the sequence s(E) has period q n — 1 and linear 
span v(q + l)/2. 

More generally, we can consider choices of E with the first half of the sequence s(E) the 
complement of the second half. The next lemma gives an upper bound on the linear span of 
S (E). 

LEMMA 15. IfEis chosen so that the Erst half of the sequence s(E) is the complement of 
the second half of the sequence, then 

L(s{T.))<(q + l)/2. 

PROOF. Let d = {q — l)/2 and consider the sequence h = {E d + l)s. Since s t - = Si+d for all 
t € {0, 1, (q - 3)/2}, the sequence h consists of all l's and {E + l)h = 0. Thus, 

m(E)\{E d + 1)(E + 1) 

and 

L{s) <l + (q- l)/2 ={q + l)/2. I 

Finally, if q is an odd prime (q = p) and E consists of all the "odd hyperplanes," that is, 
E = {.ffa : a = 1 (mod 2)}, the sequence 5(E), called the parity sequence of order n, has period 
p n — 1 and linear span that depends on the linear span of the parity sequence s(E) of order 
1. For all t € {0, 1, ...,p - 2}, 0''+(p-i)/2 = p _ /J>, and since p is odd, P i and ^Xp- 1 )/ 1 have 
different parities. Thus the parity sequence of order 1 has the property stated in lemma 15, and 
L(a(E)) < (p + l)/2. 

For all but 14 primes less than 500, L(s(E)) = (p + l)/2, that is, usually L(5(E)) = v(p + 
l)/2 = (p n - l)/2 + (p" - l)/(p - 1). For instance the parity sequence in example 2 has linear 
span (31)(3) = 93. The 14 primes with L(s(E)) < (p + l)/2 are listed in table 1, together 
with the linear spans of the corresponding parity sequences of order 1. The determination of 
a closed form expression of the linear span of the parity sequences of order 1 is an interesting 
(and probably difficult) open problem. 
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TABLE 1 
Primes < 500 with L(s) < (p + i)/2 

p L(s) (p + l)/2-L(S) 



29 


12 


3 


113 


54 


3 


163 


80 


2 


197 


96 


3 


239 


117 


3 


277 


135 


4 


311 


146 


10 


337 


163 


6 


349 


171 


4 


373 


182 


5 


397 


195 


4 


421 


207 


4 


463 


229 


3 


491 


240 


6 



7. CONCLUSION. 

We have presented general results on the linear spans of a class of binary sequences that are 
obtained from 5-ary m-sequences (q odd) by mapping the elements of GF(q) to 0 and 1. The 
linear span and minimal polynomial for these sequences are determined by considering a binary 
sequence of much shorter period q — 1. The results imply that the binary sequences under 
consideration have linear spans that are comparable to their periods, which can be made very 
long. 
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Some Constructions and Bounds for Authentication Codes 

D. R. Stinson 
Department of Computer Science 
University of Manitoba 

1. Introduction 

We shall use the model of authentication theory as described by Simmons in [S 1], [S2], and 
[S3]. In this model, there are three participants: a transmitter, a receiver, and an opponent. The 
transmitter wants to communicate some information to the receiver, whereas the opponent wants to 
deceive the receiver. The opponent can either impersonate the receiver, making him accept a 
fradulent message as authentic; or, modify a message which has been sent by the transmitter. 

More formally, we have a set of source states S, a set of messages M, and a set of encoding 
rules E. A source state s e S is the information that the transmitter wishes to communicate to the 
receiver. The transmitter and reciever will have secretly chosen an encoding rule e e E beforehand. 
An encoding rule e will be used to determine the message e(s) to be sent to communicate any source 
state s. It is possible that more than message can be used to determine a particular source state (this 
is called splitting). However, in order for the receiver to be able to uniquely determine the source 
state from the message sent, there can be at most one source state which is encoded by any given 
message m e M. 

We assume that the opponent will play either impersonation or substitution. When the 
opponent plays impersonation, he sends a message to the receiver, attempting to have the receiver 
accept the message as authentic. When the opponent plays substitution, he waits until a message m 
has been sent, and then replaces m with another message m' so that the receiver is misled as to the 
state of the source. 

There will be a probability distribution on the set of source states S. Given the probability 
distribution on S, the reciever and transmitter will determine a probability distribution on E, called 
an encoding strategy. If splitting occurs, then they will also determine a splitting strategy to 
determine m e M, given s e S and e e E. The transmitter / receiver will choose the encoding and 
splitting strategies to minimize the chance that the opponent can deceive them. 

This defines two possible games, which we refer to as the impersonation game and the 
substitution game . Each game has a value, which is the possibility that the opponent can decieve 
the transmitter / receiver, given that they are using the optimal encoding and splitting strategies. We 
denote the values of these games by v T (for impersonation) and v s (for substitution). 

Many of the bounds on the values of the games Vj and v s depend on entropies of the various 
probability distributions. For a probability distribution on a set X, we define the entropy of X, 
H(X), as follows: 

A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPTO '86, LNCS 263, pp. 418-425, 1987. 
© Springer- Verlag Berlin Heidelberg 1987 
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H(X) = -£ xeX p(x)-logp(x). 
As well, the conditional entropy H(X I Y) is defined to be 

H(X I Y) = - E y e Y E x e x P(y)'P(x I y)-log p(x I y). 

An authentication code is said to be Cartesian if any message uniquely determines the source 
state, independent of the particular encoding rule being used. In terms of entropy, this is expressed 
by the equation H(S I M) = 0. Note that in a Cartesian authentication code, there can be no secrecy. 

In this paper, we primarily consider authentication systems without splitting. We shall use the 
following notation. Denote the number of source states by k, and let S = {s ; : 1 < i < k) . Denote 
the number of messages by v, and let M = {mj: 1 < j < v). Denote by b the number of encoding 
rules, and write any encoding rule e e E as e = (e^ 1 < i < k), where ej is the message used to 
communicate source state s i; for 1 < i < k. Then, the authentication system can be represented by 
the b x k matrix A, where row e of A consists of the entries e^ ... , e k . Given an encoding rule 
e e E, we define M(e) = {e^ 1 < i < k} , where e = (e^ 1 < i < k). Also, for any encoding rule e, 
define f e (m) = s if and only if e s = m (if message m does not occur in encoding rule e, then f e (m) is 
undefined). 

2. Bounds on the values of the impersonation and substitution games 

Theorem (Simmons [S2, Theorem 1]) In an authentication system without splitting, v t > k / v. 

Theorem (Simmons [S2, Theorem 0]) In any authentication system, Vj > 2 H(MES) " H(E) ' H(M) = 
2 H(M I ES) + H(S) - H(M)_ ^ an authentication system without splitting, H(M I ES) = 0, so Vj > 
2 H(S) - H(M)_ 

Theorem (Simmons, Brickell [Bl, Theorem 3]) Vs > 2 " «<E i M) = 2 H(M) - H(E) - H(S) + H(M i ES) In 
an authentication system without splitting, H(M I ES) = 0, so v s > 2 H(M) ' H(E > " H(S) . 

Given any encoding rule e', and given any m, m' e M(e'), define 

5(e', m, m') = X {e e E: m , m . 6 M(e)) p(e)-p(S = f e (m)) / (p(e')-p(S = f e .(m))). 

Then, let 5 = min{8(e', m, m'): m, m' e M(e'), m *■ m'). 

Theorem In an authentication system without splitting, v s > 8-2' H(E 1 lM) . 
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Given any message m, define r m = l{e e E: me M(e)}l. 
Theorem In an authentication system without splitting, v s > 5 / r, where r = max{r m : m e M} . 
Given any encoding rule e', and given any m, m' e M(e'), define 

y(e', m, m') = X {e 6 E: 6 M(e )} P( e >P< s = f e( m » / P(e"). 
Then, let y = min{y(e', m, m'): m, m' e M(e'), m^m'). 
Theorem In an authentication system without splitting, v s > y-2 H(M) " H(E) . 
Theorem In an authentication system without splitting, v s > (k - 1) / (v - 1). 

3. Constructions for authentication systems 

Our interest is in constructing authentication systems which meet one or more of these bounds 
with equality. We are interested in the existence of authentication codes with a specified number of 
source states, and specified upper bounds on the number of encoding rules, messages, Vj, and v s . 
Therefore, we define an AC(k, v, b, a, P) to be an authentication code without splitting, having k 
source states, at most v messages, at most b encoding rules, and where vj < a and v s < p. Then, 
we define 

e(k, a, (3) = min{b: there exists an AC(k, v, b, a, P)}, 

and 

v(k, a, P) = min{v: there exists an AC(k, v, b, a, p)} 

That is, we are attempting to minimize the number of encoding rules (or messages) required in an 
authentication code for k source states, with upper bounds a and p on the impersonation and 
substitution games, respectively. 

First, observe that we have an easy lower bound on u(k, a, P). 

Theorem u(k, a, P)>max{k/a, 1 +(k- 1)/P). 
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Next, we mention a lower bound on e(k, a, p) due to Brickell ([Bl, Theorem 4]). 
Theorem e(k, a, (3) > 1 / (a-|3). 

This bound can be strengthened, using the quantity 8 defined earlier. 
Theorem If an AC(k, v, b, a, p) exists, then b > 5 / (a (3). 

Proof: WehaveaSvjS 2 H < S > - H M and v s > 5-2" H < E 1 M ) = 5-2 H ^ - H < E > - H < s >. Hence, we 
have a-p > 5-2 - H < E >. Since H(E) < log b, the result follows. 

In the remainder of this paper, we shall be describing constructions for authentication codes, 
which will enable us to put upper bounds on e and u. For our first construction, we require the 
following definition. A transversal design TD(k, X; n) is a triple (X, G, A), which satisfies the 
following properties: 

1) X is a set of k-n elements called points 

2) G is a partition of X into k subsets of n points, called groups 

3) A is a set of X-n 2 subsets of X (called blocks) such that a group and a block contain 
at most one common point 

4) every pair of points from distinct groups occurs in exactly X blocks. 

We usually denote a TD(k, 1; n) by TD(k, n). It is well-known that a TD(k, n) is equivalent 
to k - 2 mutually orthogonal Latin squares of order n. 

Theorem (Brickell [B 1 , Theorems 5 and 6]) If there is a transversal design TD(k, n) then there is a 
Cartesian authentication system with v s = 2" H(E 1 M) = 1 / n, Vj = 2 H(S) ' H(M) = 1 / n, ISI = k, 
IMI = k-n, and IEI = n 2 , with no splitting. Conversely, the existence of such an authentication 
system implies the existence of a transversal design TD(k, n). Hence, if there exists a TD(k, n), 
then there is an AC(k, k-n, n 2 , 1 / n, 1 / n}, and we have the upper bounds e(k, 1 / n, 1 / n) < n 2 
and u(k, 1 / n, 1 /n) < k-n. 

We can prove a generalization of this result, using transversal designs with X > 1. 

Construction 1 If there is a transversal design TD(k, X; n) then there is a Cartesian authentication 
system with v s = X-2" H < E IM > = 1 / n, Vj = 2 H < S > - = 1 / n, ISI = k, IMI = k-n, and IEI = X-n 2 , 
with no splitting. Conversely, the existence of such an authentication system implies the existence 
of a transversal design TD(k, X; n). Hence, if there exists a TD(k, X; n), then there is an 
AC(k, k-n, X-n 2 , 1 / n, 1 / n}, e(k, 1 / n, 1 / n) < X-n 1 , and u(k, 1 / n, 1 / n) < k-n. 
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Suppose our desire is to construct an authentication code AC(k, k-n, b, 1 / n, 1 / n). We can 
construct such a code if a TD(k, X; n) exists for b = X-n 2 . (Note that this satisfies the bound b > 
5 / (a-P) with equality, where a = |3 = 1 / n and 8 = X.) Thus, given k and n, we are interested 
in the smallest X such that a TD(k, X; n) exists. First, we observe that there is a simple numerical 
bound on k in terms of X and n. 

Theorem (Hanani [HI]). If a TD(k, X; n) exists, then k < (k-n 2 - 1) / (n - 1). 

Consequently, if we use a TD(k, X; n), then we have a lower bound on b, namely 

b = X-n 2 >kn-k + 1. 

We present an infinite example of transversal designs which meet this bound with equality. 

Theorem For all prime powers n > 2, and for any d > 1, there is an 
AC(k, k-n, n d , 1 / n, 1 / n), where k = (n d - 1) / (n - 1); hence 
e((n d - 1) / (n - 1), 1 / n, 1 / n) < n d and v((n d - 1) / (n - 1), 1 / n, 1 / n) < k-n. 

Proof: In [HI], Hanani shows that for any prime power n, and for any d > 1, there is a 
TD((n d - 1) / (n- 1), n d " 2 ; n). 

Corollary For any a > 0, e(k, a, a ) is 0(k / a 2 ) and v(k, oc, a ) is 0(k / a). 

Proof: Let n = 2>, where 2J > 1 / a > 2J" 1 . Then n is 0(1 / a). Now, choose d so that n d > 
k(n - 1) + 1 > n iA . Since k < (n d - 1) / (n - 1), we have e(k, a, a ) < n d . But, n d < 
k(n 2 - n) + n = 0(k-n 2 ). Since n is 0(1 / a), therefore e(k, a, a ) is 0(k / a 2 ). Also, k-n is 
0(k/a). 

As another example of the use of transversal designs with X > 1, let's consider codes with 
parameters AC(k, v, b, 1 / 6, 1 / 6). For k = 4, we cannot construct such a code from a 
TD(4, 6), since this TD does not exist (this is the famous 36 officers problem of Euler, i.e. a pair 
of orthogonal Latin squares of order 6). In [Bl], Brickell constructs an example of an 
AC(4, 30, 36, 1 / 6, 1 / 6) with splitting. However, we can employ a TD(7, 2, 6), which is 
constructed in [HI, p. 49], to obtain an AC(7, 42, 72, 1 / 6, 1 / 6). 

More generally, we have the following class of authentication codes with 7 source states. 

Theorem For all n > 2, there is an AC(7, 7-n, 2n 2 , 1 / n, 1 / n); hence e(7, 1 / n, 1 / n) < 2n 2 . 
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Proof: For these n, there is a TD(7, 2; n) (see [HI]). 

The authentication codes obtained from Construction 1 are Cartesian. Hence, the opponent, 
on seeing a message being sent, knows the source state. Therefore, no secrecy is possible in such 
an authentication system. We also want to be able to construct good authentication codes with 
secrecy. Ideally, we would like to have H(S I M) = H(S); i.e. the message gives absolutely no clue 
as to the state of the source. If this happens, then we say that the authentication code is perfectly 
non-Cartesian. 

Our main construction for perfectly non-Cartesian authentication codes uses group-divisible 
designs, which are a generalization of transversal designs. A group-divisible design 
GD(k, X, n; v) is a triple (X, G, A), which satisfies the following four properties: 

1) X is a set of v elements called points 

2) G is a partition of X into v / n subsets of n points, called groups 

3) A is a set of subsets of X (called blocks), each of size k, such that a group and a 
block contain at most one common point 

4) every pair of points from distinct groups occurs in exactly X blocks. 

Note that a TD(k, X; n) is equivalent to a GD(k, X, n; kn). Also, a (v, b, r, k, X.)-BIBD 
(balanced incomplete block design) is equivalent to a GD(k, X., 1; v). 
We have the following construction. 

Construction 2 Suppose there exists a GD(k, X, n; v). Then there is a perfectly non-Cartesian 
AC(k, v, A/v(v - n) / (k - 1), k / v, (k - 1) / (v - n)). 

Proof: Let (X, G, A) be a GD(k, X, n; v). By simple counting, each point occurs in r = 
X (v - n) / (k - 1) blocks, and the total number of blocks is X-v-(v - n) / (k(k - 1)). What we 
do is construct k encoding rules from every block of the group-divisible design: for each block A 
= {xp ... , x k } of the group-divisible design, and for each i, 0 < i < k - 1, we define an 
encoding rule e(A, i) = (ey 1 < j < k), where ^ = x G + ;) modulo k . 

There are Xv-(y - n) / (k - 1) encoding rules in the resulting authentication code. We shall 
use each encoding rule with probability (k - 1) / (X-v-(v - n)). It is not difficult to verify that v t = 
k / v and v s = (k - 1) / (v - n). 

Finally, the authentication code is perfectly non-Cartesian since p(s I m) = p(s) for every s e S 
and every me M. 

It is interesting to note that this code has H(M) = log v, H(E) = log(X-v-(v - n) / (k - 1)), and 
v s = y2 H(M) " H(E) , where y = X. 
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Corollary Suppose there exists a (v, b, r, k, X.)-BIBD. Then there is a perfectly non-Cartesian 
AC(k, v, k-b, k / v, (k - 1) / (v - 1)). 

Proof: This is the case where every group of the group-divisible design has size 1. Note that here 
we have v s = (k - 1) / (v - 1). 

Corollary Suppose there is a TD(k, X; n). Then there is a perfectly non-Cartesian 
AC(k, n-k, A.-k-n 2 , 1 / n, 1 / n). 

Consequently, e(k, a, a) is 0(k 2 / a 2 ) and v(k, a, a ) is 0(k 2 / a), even if we restrict 
ourselves to perfectly non- Cartesian codes. 

These two constructions for authentication codes both have two very nice properties which we 
have not yet emphasized. First, the encoding strategy in each case is uniform: each encoding rule 
is used with equal probability 1 / b. Second, this encoding strategy yields the stated game values 
for any source distribution. 

The final topic we consider is the construction of authentication codes for uniform source 
distributions (p(s) = 1 / k for any source state s). As before we consider only codes without 
splitting. The best we could hope for is to attain the bounds v r = k / v and v s = (k - 1) / (v - 1). 
So, we shall study AC(k, v, b, k / v, (k - 1) / (v - 1)); such authentication codes will be called 
optimal. 

We have the following characterization of authentication codes which are optimal with respect 
to the uniform probability distribution on the source states. 

Lemma An authentication system is optimal with respect to the uniform probability distribution on 
the source states if and only if the following properties are satisfied: 

i) for every me M, X (ee E: e£ E) p(e) = k/v. 

ii) for every m * m', £ {e 6 E . mj m , e e) p(e) = (k 2 - k) / (v 2 - v). 

In many authentication codes, the optimal encoding strategy is to choose every encoding rule 
with probability 1 / b. If we assume that this encoding strategy is in fact optimal, then the 
properties above are of a purely combinatorial nature. We have the following 

Theorem An authentication system is optimal with respect to a uniform encoding strategy and a 
uniform probability distribution on the source states if and only the following properties are 
satisfied: 
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i) for every me M, l{ee E: me e}l = kb/v. 

ii) for every m * m', l{e e E: m, m' e e}l = b-(k 2 - k) / (v 2 - v). 

This says that the rows of E, considered as unordered sets, form a balanced incomplete block 
design with parameters (v, b, r, k, X), where r = k-b / v and X - b (k 2 - k) / (v 2 - v). So, we can 
produce optimal authentication codes from BIBDs when the source states are equiprobable. 

Using known families of BIBDs, we can obtain many authentication codes for uniform source 
distributions. For example, using projective geometries, we have the following. 

Theorem For any prime power n, and any integer d > 2, there is an optimal authentication code for 
the uniform source distribution on n + 1 source states, for v = (n d+1 - 1) / (n - 1) and X-l. 
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ABSTRACT 

Software protection is one of the most important issues concerning computer practice. The problem is 
to sell programs that can be executed by the buyer, yet cannot be duplicated and/or distributed by him to other 
users. There exist many heuristics and ad-hoc methods for protection, but the problem as a whole did not 
receive the theoretical treatment it deserves. 

In this paper, we make the first steps towards a theoretic treatment of software protection: First, we dis- 
till and formulate the key problem of learning about a program from its execution. Second, we present an 
efficient way of executing programs (i.e. a interpreter) such that it is infeasible to learn anything about the pro- 
gram by monitoring its executions. A scheme that protects against duplication follows. 

How can one efficiently execute programs without allowing an adversary, monitoring the execution, to 
learn anything about the program ? Current cryptographic techniques can be applied to keep the contents of 
the memory unknow throughout the execution, but are not applicable to the problem of hiding the access pat- 
tern. Hiding the access pattern efficiently is the essence of our solution. We show how to implement (on-line 
and in an "oblivious manner") / fetch instructions to a memory of size m by making less than t m e actual 
accesses, for every fixed e>0. 

1. INTRODUCTION 

Software protection is one of the most important issues concerning computer practice. The problem is 
to sell programs that can be executed by the buyer, yet cannot be duplicated and/or distributed by him to other 
users. A lot of engineering effort is put into trying to provide "software protection", but this effort seems to 
lack theoretical foundations. In particular, there is no crisp definition of what the problems are and what 
should be considered as a satisfactory solution. In this paper, we make the first steps towards a theoretic 
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treatment of software protection, by distilling a key problem and solving it efficiently. 

Before going any further, we distinguish between two intuitive notions: the problem of protection 
against duplication and the problem of protection against distribution. Loosely speaking, the first problem 
consists of ensuring that there is no efficient method for creating executable copies of the software; while the 
second problem consists of ensuring that, in case duplication succeeds, the illegal duplicator should be unable 
to prove in court that he has designed the program. In this paper we concentrate on the first problem, which 
clearly implies a solution to the second one. 

We claim that protection against duplication must use some hardware measures: mere software (which 
is not physically protected) can always be duplicated. On the other extreme, the trivial solution is to rely only 
on hardware. That is, to sell physically-protected special-purpose computers for each task. This "solution" 
has to be rejected as infeasible and too expensive. We conclude that a real solution to protecting software 
from duplication should combine feasible software and hardware measures. 

It has been suggested [Be, K] to protect software against duplication by selling a physically shielded 
CPU together with an encrypted program. The CPU will contain the corresponding decryption key, and will 
be installed in a computer system. The CPU will execute the program using the memory, I/O devices and 
other components of the computer. As customary, the CPU itself will contain only a small amount of storage 
space. We stress that only the CPU will be physically shielded and that all other components of the com- 
puter, including the memory in which the encrypted program and data are stored, will not be shielded. 

The above setting is on the right track. It only uses a small amount of physical protection (shielding), 
and its implementation is feasible in current technology. However, the above setting does not constitute a full 
solution since it was not specified exactly how the CPU is to execute the program using the memory. A naive 
specification states that the computer operates as an ordinary Random Access Machine, except for the extra 
encryption and decryption performed by the CPU. This naive specification is not good enough, since certain 
properties of the program as its loop structure will not be kept secret from an observer. It is true that straight- 
forward duplication of the program is not possible since one part of the program (i.e. the key) is in the 
shielded CPU which is unduplicatable. But protection against duplication should mean more than foiling 
straightforward attempts. In particular it should mean that the user is unable to leam enough about the pro- 
gram so that he can latter reconstruct it by himself. We thus view the above setting (i.e. a small shielded CPU 
and an encrypted program) as the start point for the study of software protection, rather than as a satisfactory 
solution. In fact, we will use this setting as the framework for our investigations, which are concerned with 
the following key question: 

What can a user learn about the program he bought ? 

1.1 What Can Be Learnt by Executing a Program 

We recall that the program consists of an encrypted code and a shielded CPU capable of "executing" 
the code (on an external memory device which may be monitored by the user). The user can run the program 
on inputs of its choice and watch the sequence of memory accesses during such executions. Furthermore, he 
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can even interfere in the execution by changing the contents of the memory locations. In any case, the pattern 
of memory accesses certainly carries knowledge about the program. In many cases, one can easily infer from 
the access pattern essential properties of the program such as its loop structure. In some cases, this may 
suffice in order to reconstruct the program. 

Our goal is to make it infeasible for the adversary to improve his ability of reconstracting the program 
by experimenting with it. If it is initially "easy" to reconstract the program then we require nothing, but in 
case this task is initially "hard" then experimenting with the program should not help. We meet our goal by 
requiring that the adversary can not learn anything about the encrypted program, except for its input/output 
relation and its running time. Certainly, if an adversary can learn nothing (except I/O relation and running- 
time) from his experiments then he can not improve his ability of reconstructing the program. Thus, the 
notion of a CPU which defeats experiments (i.e. prevents learning about a program from its executions) is the 
key to preventing software duplication. Intuitively, a CPU defeats experiments if it is infeasible to distinguish 
the sequences of memory accesses of any two programs run by it The technical difficulty in the definition is 
the need to decouples the specified behaviour of the programs (i.e. input/output relation and running time) 
from the sequences of memory accesses made during their executions. 

Definition (sketch): We say that a CPU defeats experiments if no probabilistic polynomial-time adversary 
can, on input an encrypted program, distinguish the two cases: 

1) The adversary is experimenting with the genuine CPU, which is trying to execute the encrypted pro- 
gram through the external memory. 

2) The adversary is experimenting with a fake CPU. The interactions of the fake CPU with the memory 
are almost identical to those that the genuine CPU would have had with the memory when executing a 
dummy program (e.g. while TRUE do skip;). The execution of the dummy program is timed-out by the 
number of steps of the real program. When timed-out, the fake CPU writes to the memory the same 
output that the genuine CPU would have written on the "real" program (and the same input). 

Constructing an efficient CPU which defeats experiments 

The problem of constructing a CPU which defeats experiments is not an easy one. Essentially there are 
two issues: The first issue is to hide from the adversary the values stored and retreived from memory, and to 
prevent the adversary's attempts to change these values and/or to launch an attack on the encryption function. 
This is done using traditional cryptographic techniques (e.g. probabilistic encryption [GM] and message 
authentication [GGM]) in an inovative manner. The second issue is to hide (from the adversary) the sequence 
of instructions and variables accessed during the execution (hereafter referred as hiding the access pattern). 

Hiding the memory access pattern is a completely new problem and traditional cryptographic tech- 
niques are not applicable to it. A trivial but unacceptably wasteful solution consists of scanning through the 
entire memory each time a variable needs to be accessed. In this paper, we provide an efficient solution to the 
problem of hiding the access pattern. This solution is the basis of our construction of an efficient CPU which 
defeats experiments. 
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Main Theorem: Let m denote the size of the external memory, and assume that one-way permutations 
exist. Then there exist a way to execute programs (through the memory) without leaking any 
knowledge about them, such that t instructions of the original program require only tm z memory 
accesses, e>0. 

(The actual expression is t •2 V2l0gJ "' 1 ° 8>l08aB .) 

1.2 The Hidden Access Game 

The Main Theorem is proved by reducing the problem of executing programs without leaking 
knowledge about them, to a "hidden access game". The reduction uncouples the traditional cryptographic 
issues of encryption and authentication from the new issue of hiding an access sequence. The access game 
consists of a main player (called the magician), m marked balls, and 2m boxes each capable of storing a sin- 
gle ball. Initially the m balls are placed in the first m boxes, such that ball i is in the ith box. The magician 
can hold only a single ball in his hands at any time. There are two additional players called the instructor and 
the adversary. The game proceeds in rounds as follows. In each round, the instructor secretly specifies to the 
magician a ball (say ball i ), and the magician "answers" by conducting a sequence of actions such that at the 
sequence's end the magician holds ball i in his hands. The magician's actions consists of inserting his hand 
into a box for a moment, during which he either drops a ball or takes a ball or does nothing. The adversary 
can only sees into which box the magician has inserted his hand, but cannot see whether the magician dropped 
a ball, took a ball or did nothing. (It goes without saying that the adversary cannot see through the box.) The 
instructor is not collaborating with either magician or adversary. Can the magician follow the game without 
allowing the adversary to learn anything about the instruction sequence? More precisely, we require that the 
sequence of visible actions yields no information about the sequence of instructions. 

There is a wasteful solution corresponding to the simple solution of the software protection problem: on 

every instruction the magician inserts his hand to all boxes in a predetermined order. Our proof of the above 

Theorem offers a better solution: in order to follow t instructions the magician needs to make only 
r . 2 <f2k»»«*i<w« actions (hand insertions) 

Remark: The access game studied in this paper can be viewed as the Random Access Machine analogue of 
the oblivious Turing Machine problem studied by Pippenger and Fischer [PF]. The difference is that their 
solution heavily relies on the fact in their setting the instruction pattern is local (i.e. after asking for ball i, the 
instructor can only ask for either ball i-l or ball i+1). 

ORGANIZATION 

In Section 2 we establish a formal framework and present a definition of the phrase "a CPU executes 
programs without leaking knowledge about them". In Section 3 we sketch a reduction of the the problem of 
implementing such executions to the problem of implementing a magician in the above access game. The 
reader who is merely interested in the access game is encourage to skip these sections and proceed directly to 
Sections 4 and 5. Section 4 consists of the first non-trivial solution to the access game: a solution involving an 
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overhead factor of ^in . In Section 5, a recursive solution involving an overhead of 2 a °8» m ' l0 8 J< *" . i s 
presented. In Section 6, we present a £2(log m) lower bound on the overhead in a solution to the access game. 
We conclude with some remarks and open problems. 

2. OUR DEFINITION OF SOFTWARE PROTECTION 

Loosely speaking, our definition of protected software is that the adversary having the CPU and the 
encrypted program can "learn" nothing "substantial" about the program except for its input/output relation 
and running time. In order to present a formal definition we need first to define the interaction between the 
CPU, memory, adversary and to parameterize the encryption. We next turn to define transformations on pro- 
grams (compilers) and define "learning substantially" as the ability to distinguish the original programs by 
monitoring the executions of their compiled mappings. Compilers which map programs in a manner that 
defeats any attempt to learn something substantial are then defined as protecting software. The reader may 
note that in this section we present the transformations on programs as compilers while in the introduction 
they were presented as interpreters. This difference is clearly not essential. 

2.1. Interactive Machines, CPU, Memory, Programs, and Encryption 

We start by defining the memory and the CPU as two interacting machines. The definition matches the 
standard notion of a RAM (e.g. [AHU]) in case the memory and CPU are interacting with each other. The 
only detail worth emphasis is that the CPU can only use space linear in its input parameter. 

Definition 1 (Probabilistic Interactive Machines - sketch): A probabilistic interactive machine {PIM) consists 
of a read-only input tape, a write-only output tape, a work tape and a finite control. In addition to the above 
the PIM may receive and send messages through a special communication channel. 

Definition 2 (Linear PIM): A linear PIM is a PIN that on input x accesses only the first O ( | x \ ) cells of its 
work tape. 

Definition 3 (Memory): The memory is a (linear) PIM operating as hereby specified. On input a string y par- 
titioned (by special marks) into m blocks, the memory copies the input to its work tape, and from this point on 
considers the ith block of y as its i-lh cell. Subsequently, the memory is message driven. When reading a 
new message of the form (a,/ ,z) the memory acts as follows. If 0"=S and 1 < i" < m then the memory sends a 
message consisting of the current contents of its i -th cell. If o=P and 1 < / < m then the memory puts z as 
the new contents of its i -th cell (if z is too long - it is truncated). If a=T the the memory outputs the contents 
of its work tape, and stops. In case none of the above holds, the memory remains idle. 

Remark: For the sake of simplicity, we have assumes at this point that the programs conduct all their compu- 
tation in the space occupied initially by the input. In practice, the actual input will be padded by blanks to 
allocate sufficient work space for the execution. The padded input will then serve as input to the program. 
An alternative approach, in which the memory size grows during the execution to meet workspace needs, will 
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be explored in the full version of this paper. 

Definition 4 (CPU - sketch): The CPU is a linear PIM which operates as hereafter specified. The input to the 
CPU is ignored, and its only purpose is to trigger the execution of the CPU, and to specify the permitted 
"length" of the CPU's work tape. The CPU starts its execution by sending a (fetch) message of the form 
(5,1, ). Subsequently it operates in "rounds". In each round it reads a new arriving message (into its work 
tape), applies a polynomial-time computation to its work tape (an "elementary operation in the terminology 
of the RAM model [AHU]), and concludes by sending a message (consisting of the contents of a portion of its 
work tape). (After sending a message of the form (TV,-) -- the CPU halts.) 

Definition 5 (programs, data, and computations): The input to the memory (y) is partitioned (by a special 
symbol) into two parts called the program (denoted here as n) and the data (denoted x). The output of the 
memory (on input y= (izj.) ), after interacting with the CPU, is denoted k(x) and called the result of it's com- 
putation on input x. 

Definition 6 (Probabilistic Encryption and its Security [GM] - sketch): A probabilistic encryption scheme is a 
triplet of probabilistic polynomial-tirne algorithms denoted GJi£>. On input n (in unary) algorithm G out- 
puts a (legal) key K of length n . On input a key K and a message Af , algorithm E randomly selects an 
encryption denoted E K {M), such that D K (E K (M))=M . Loosely speaking, we say that the encryption scheme 
is secure if on input n (in unary), and the messages M } and Af 2 , their probabilistic encryptions E K {M{) and 
E/cffli) (where K=G (n )) are polynomially-indistinguishable (even when given access to a black box imple- 
menting E K ). 

Remark: We do not assume here that the encryption scheme is public-key. 
22. Cryptographic CPU, Specification Oracle, and Compilers 

Definition 7 (Cryptographic CPU - sketch): The Cryptograpic CPU (CCPU) operates essentially as a CPU 
except for the following details: 

1) The input is considered as a cryptographic key K of length n (and is not ignored). 

2) The CCPU can effect (as an "elemetary operation") E K and £jf ! on any string of length n . 

Remark: The time and space complexities of effecting E K and ££' are ignored in the above definition. In 
considering an implementation of a CCPU, the time complexity of effecting Eg enters as a multiplicative fac- 
tor, while the space complexity enters as an additive term. Both complexities depend only on the length of AT, 
and thus are independent of the length of the data (to the program run by the CCPU). In the factoring-based 
implementation, the time complexity is 0 (n 3 ) while the space complexity is 0 (n ). 

Definition 8 (A specification oracle): A specification oracle for a program rc, is an oracle that on query x 
returns (n(x),t n (x),s^(x)), where n(x) is the output of k on input*, t n {x) is the running-time of it on input*, 
and s-^x) is the storage-requirement of k on input x. 

Remark: For the sake of simplicity, we assume in the rest of this extended abstract that both t n {x) and s x (x) 
depend only on the length of x. Furthermore, we will assume that these functions are easily computable. 
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Thus, the only interesting thing in the oracle' s answer is n(x ). 

Our objective is to claim that no adversary can learn anything about it, when given input E K (%) and 
interacting with the CCPU. This is false when k is executed in the straightforward manner. What we do is 
map it into a "functionally equivalent" program 7t' and execute it'. We will require that no adversary given 
the encryption of jc' (and interacting with the CCPU) can learn anything about ji. 

Definition 9 (Compiler): A compiler C is a probabilistic polynomial time algorithm that on input an integer n 
(in unary) and a program 7t outputs an n -bit cryptograpic key K = G (n) and an encrypted program E K {rf), 
such that for every x , n(x ) = if(x). We denote tt/ by C (tc). 

2 J. Software Protection and its Cost 

Now we are ready to state our definition of software protection. Loosely speaking, a compiler is said to 
protect software if whatever can be efficiently computed on input an (encrypted) compiled program (when 
interacting with a CCPU (having the corresponding key)) - can be efficiently computed given access only to 
the specification oracle for the program- 
Notation (sketch): By 1" we mean the unary representation of n. When writing D^x) = P D 2 (f(.x)), we 
mean that the probability distributions generated by the algorithms D l and£> 2 on "random" *'s are polyno- 
mially indistinghishable [GM, Y]. Let A and B be interacting machines, then A B ^(x) denote the probability 
distribution output by A on input x , when A is interacting with B which gets y as a private input (i.e. A does 
not gety ). Let M be an oracle-machine, and tc be a program, then M % {x) denotes the output distribution of 
M on input x and access to a specification oracle for n. 

Definition I (Software Protection — sketch): Let P denote the CCPU. The compiler C protects software if for 
every probabilistic polynomial-time interacting machine A, there exists a probabilistic polynomial-time 
oracle-machine M , such that for all programs n the following holds 

Af (it )(£ f (CW)) mpifXlW), 

where K is choosen randomly among all cryptographic keys of length | K \ . 

Definition II (cost of software protection): Let n be a program, and t^x) be as in Definition 8. Let C be a 
compiler. Let fg be a function from integers to reals, such that fc( m ) is the maximum, taken over all m-bit 
strings x, of t cw {x)/t x (x). Let / c("0 be a function such mat for every n and for sufficiently large m, 
f c(m )<f c (/n). Then the overhead created by the compiler C is at most f c {m). 

3. REDUCTION TO AN ACCESS GAME 

The access game, described in the introduction, can be formulized as a randomized procedure that on 
input a sequence a of elements out of {1,2,. ..,m} outputs two sequences, a visable sequence P and a secret 

sequence y. The sequence p contains elements out of {1,2 2m}, while the sequence y consists of elements 

out of {TJ> fl}. (The reader may think of a as being the instruction sequence, of the procedure as being the 



433 



magician, of the visable sequence as the sequence of cells into which the magician has inserted his hand, and 
of the secret sequence as of what he did when inserting his hand. T stands for "take a ball", D for "drop", 
and N for "do nothing".) The visable sequence p gives no information about the sequence a (i.e. the condi- 
tional probability that the input is a given that the visable output is P equals the a-priori probability that the 
input is a). The execution of P with y gives a sequence 5 which contains a. (S is the sequence of balls held in 
the magician's hand, when he inserts his hands to cells P and acts in them according to y.) Furthermore, the 
procedure should satisfy the above conditions when working on-line: every new element of a should cause 
the procedure to output new portions of P and y such that they ' 'contain" the element 

In addition, we require that the randomized procedure is efficient in the following sense: 

1 ) The next output symbol is computed in time polynomial in m ; 

2) The space used is logarithmic in m , provided that the procedure has access to a random oracle; 

3) The procedure can compute at each moment, the number of times each ball was taken out of a cell. 

Proposition (The Reduction): Suppose that there exist one-way permutations, and there is a procedure satis- 
fying the above conditions such that for every input of length / it outputs sequences of length ( / (m). Then 
there exists a compiler that protects software with overhead at most / (m ). 

The proof employes the following "traditional" cryptograpic techniques - probabilistic encryption [GM], 
pseudorandom function [GGM], and (provably secure) message authentication [GGM]. 

1) Probabilistic encryption is used in order to make it infeasible to tell anything about the contents of a 
memory location. The existence of one-way permutations implies the existence of probabilistic encryp- 
tion schemes [GM, Y]. More efficient schemes exist under the intractability of factoring [ACGS, BG]. 

2) The pseudorandom functions replace the random oracle used by the procedure. It is crucial that they 
can be implemented using "small" space. Pseudorandom functions exist if one-way permutations exist 
[BM, Y, GGM]. 

3) Message authentication is used in order to prevent the adversary loancing a chosen ciphertext attack on 
the encryption scheme. Another use of authentication is to prevent the adversary from switching the 
contents of memory location, or to replace the contents by a previous contents of the same location. (It 
is thus crucial that the procedure satisfies the additional condition (3).) Message authentication is 
implemented using pseudorandom functions [GGM]. 

4. THE "SQUARE ROOT" SOLUTION 

We will describe the solution, using the intuitive "magician" formalism of the introduction. Recall that 
there are m balls marked 1 through m , which initially reside in the first m cells such that ball i is in the i -th 
cell. Altogether there are 2m cells, and suppose that m>2^m . 
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The solution described below allows the magician to follow a sequence of t instructions, by commiting 
at most t-^rn actions. We desribe a solution in which the magician is allowed to hold up to 2 balls at any 
point in time. 

Following is an outline of the magician's procedure: 

0) Initially, for l<i <m , the i th cell contains ball number i . All other cells are empty. 
while TRUE do; 

1) Randomly permute the contents of the first m+^m cells. That is, select a permutation jc over the 
integers 1 through m+^m and relocate the contents of cell i in cell jt(i). 

2) Execute instructions as follows. During the execution of these instructions, maintain the balls 
(accessed by these instructions) in cells number m+Jm+\ through m+2^m . The instruction "get ball 
i " is executed as follows. First scan through the special cells and check whether ball / is in one of 
these cells. If the i th ball is not found there then we retreive it from cell 7t(i); else we access the next 
empty cell (i.e. one of the cells m+1 through m+^m which was not accesssed before). 

3) Return balls to their initial locations. 

Before getting to the implementation details of the above steps, we provide some hints to as why no informa- 
tion about the instruction sequence is revealed by the sequence of viasble actions. Step (1) is syntactically 
independent of the instruction sequence. The accesses executed in step (2) are of two types: scanning through 
all cells from the-m+^m +l-th to the mVl^rn -th, and accessing a new random cell between 1 and m+Vm .No 
information about the instruction sequence is leak by this! The access pattern of Step (3) is identical to a 
combination of the second type of accesses made in Step (2), and the accesses of step (1). 

4.1 How to randomly permute the contents of the memory 

We first show how to implement a random permutation by using a random oracle and sorting, and next 
show how to implement sorting using a random oracle. 

Choosing and "storing" a random permutation 

We show how to choose and store a random permutation over {1,2,... ,i }, using 0 (log t) storage and a 
random oracle. The idea is to use the oracle in order to tag the elements with random distinct (with high pro- 
bability) integers. The permutation is obtained by sorting the elements by their tags (It suffice to have the 
tags being drawn at random from the set {l,2,...,t lot '}.) Let / :{\,2,...,t}-^{l,2,...,t x ° i ' } be a random function 
trivially constructed by the random oracle. Then K{i)=k if and only if/(i) is the jfc-th smallest element in 
(f(j): l&j£t}. 



1) Remark: Luby and Rackoff [LR] showed thai three iterations of the DES caa be used to construct a pseudorandom permutation out of 
three random functions. However, this pseudorandom permutation is not good enough for our purposes since it can be distinguished from a ran- 
dom permutation with probability ©O7 It ), where q is the number of permutation evaluations. 
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Arranging the balls by the choosen permutation 

Now we face the problem of sorting the t elements (by their tags) in a manner which leaks no informa- 
tion about the permutation. The crucial condition is that the magician which executes the sorting can store 
only a fix number of balls (say 2) at a time. The idea is to "implement" Batcher's Sorting Network [Bat], 
which allows to sort t elements by rf log2f] 2 comparisons. Each comparison is "implemented" by accessing 
both the corresponding cells, retreiving their contents, and then putting the contents back in the desired order. 
The sequence of accesses generated for this purpose is fixed and independent of the permutation to be imple- 
mented. Note that the magician can easily compute at each point which comparison he needs to implement 
next. This is due to the simple structure of Batcher's network, which is uniform with respect to logarithmic 
space ®. 

Computing the permutation in succeeding steps (2) and (3) 

The way the permutation JC is defined does not allow an immediate method of computing Jt(: ) on input 
i. This computation will be required in the subsequent executions of steps (2) and (3). We will "compute" 
K(i ) by conducting a binary search on the/(-)'s, using the fact that (after step (1)) the/()'s are "stored", in 
sorted order, in the cells. Note that 7c(i ) is computed in order to xcess the n(i )-th cell, and therefore the 
accesses done in the binary search do not add any information (since they are determined by Ji(i )). 
42 How to simulate a single access 

Now it is straightforward to give the details of Step (2). Throughout step (2), count maintains the 
number of single accesses simulated in the current run. count is initialy 0 and is increamented until it reaches 
. On instruction "take ball i" the magician proceeds as follows: 

2a Scans through locations m+'fm +\ to m If the ball i is in either of these cells then fetch it, and 

sets j such that ball / was taken from the m +^m+j -th cell. If neither of these cells contains ball i then 
set j=count . 

2b If j * count then the magician accesses the n{m+count )-th cell (which is empty!); else the magician 
accesses the 7t(i)-th cell, and retrieve its contents (i.e. ball /). 

2c Scans through locations m+^m+l to m+l^m again, and put ball i in the m+^m +j -th cell. Incre- 
ments count by 1. 

4.3 How to rearrange the balls 

Rearranging the balls is done in two substeps: first we undo the effect of the execution of Step (2) and 
next the effect of Step (1). Following is a description of the first substep. The second substep can be incor- 
porated in the next execution of step (1). 

For j=\ to "fin the magician proceeds as follows: 

Accesses the m+Jm +j cell. If it contains a ball, say ball i, then the magician accesses the 7c(j )-th 
cell and puts ball i there. If the m+' s fm+j-ti\ cell is empty then the magician accesses its 7C(m+/)-th 
cell (but puts nothing there). 

2) The simplicity of Batcher sorting network is the main reason we prefarc it upon the asymptotically superior Ajtai-Komlos-Szemeredi 
sorting network [AKS]. 
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4.4 Analysis 

The reader may easily verify that the sequence of accesses of the magician indeed yields no information 
about the sequence of instructions. It is left to calculate the overhead of the simulation (i.e. the ratio of 
accesses over instructions). The permutation applied after every instructions causes an overhead of 
0(m \o£m), which amounts to an amortized overhead of 0 {^m Xog^m) actions per instruction. In addi- 
tion, each of the instructions causes O C^rn) actions to be taken in step (2). Other actions taken in step (3) are 
negligible in mumber. The total overhead thus amounts to O (Jm lo^m) actions per instruction ®. We get 

Theorem 1: There exist a magician procedure with 0 {^m \0g2tn) overhead 
Furthermore, this procedure is efficient in the sense of Section 3. 

5. THE RECURSIVE SOLUTION 

The recursive solution presented in this section is based on a generalization of the solution presented in 
Section 4. One can view the solution of Section 4 as consisting of two parts: the random shuffling and 
reshuffling of the cells contents every original accesses (steps (1) and (3)), and the simulation of the 
instructions through their randomized locations (step (2)). Substeps (2a) and (2c) actually simulates a 
"powerful" magician which can hold up to balls in its hands at any time: The magician looks whether he 
holds already the required ball. If the answer is negative then the magician fetches the ball, else he reaches for 
a "new" empty cell. Holding up to balls was simulated in the obvious manner by scanning through extra 
cells. 

When trying to generalize the solution, we want to decrease the amortize cost of the random shuffling. 
Thus we will consider a more powerful magician capable of holding up to /(m)> balls (say 
/(m)=m 3/4 ). The amortized cost of steps (1) and (3) is thus m(log-^n) 2 /f (m). The key question is: how 
are we going to simulate the magician with the f (m )-size hand ? 

We will think of the magician's hand as a heap containing up to/(m) elements. We need to support 
/ (m ) find operations and up to / (m ) element insertions to this heap. This translates to / (m yiogrf {m ) 
access operations to the data structure. We can view the situation as a new simulation, this time on O {f (m )) 
cells and for 0(f(m ) log / (m )) instructions. In other words, we need to issue \0g2f ( m ) new instructions 
into the / [m )-size hand per each instruction into the original cells. We thus get 

m(\og 2 m) 2 

overhead (m ) = + O (log / (m )) • overhead (f (m )) 

/(»») 

Solving the recurence, we get overhead {m) = 0 (2 V2l0gyn logalogy " ). Thus 



3) Actually, the above choice of parameters is not optimal. Repermuting the balls after every 0 (~fm log m) instructions, yields an over- 
head o(0(^m -log m ) actions per instruction. 
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Theorem 2: There exist a magician procedure with 0 (^ 2lo & nAo & 0 & n ) overhead. 
Furthermore, this procedure is efficient in the sense of Section 3. 



6. A LOWER BOUND 

A simple combinatorial argument shows that any oblivious simulation of arbitrary RAMs should have 
an average £2(fog m ) overhead. 

Theorem 3: Every successful magician procedure must make at least m + (t—iyiog^m actions in 
order to implement t instructions. 

The proof uses very little of the structure of the problem, and therefore we do not believe that the lower bound 
obtained is tight. 



7. CONCLUSIONS AND OPEN PROBLEMS 

We have reduced software protection to a "hidden access game". The reduction was curried out on 
the instruction level. However, an identical reduction can be carried out on any level of programming modu- 
larity; e.g. cash memory accesses, paging mechanisms etc. 

The hidden access game has also other applications, as allowing many users to run secretly private pro- 
grams on a public computer, foiling flow analysis in distributed communication networks etc. 

Formulating the problem of preventing software duplication has lead us to consider the question of 
what can be leamt about a program by watching its executions. It seems that formulating the problem of 
preventing software distribution (i.e. fingerprinting software) will lead to different questions. It will be very 
interesting to try and come up with a theoretical framework and definitions for "fingerprinted software". 

A more technical problem is to provide better solutions to the hidden access game, and in turn to 
present compilers which protect software at lower cost. We believe that this should be possible. On the other 
hand, proving better lower bounds on the overhead of good magicians will be also interesting. At this point 
the gap between the known upper and lower bounds, on the overhead, is quite large: 0(2 2l0 & m l0 fc l0 8 J,n ) 
versus fl(log m ). 
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APPENDIX 



Definition (polynomial indistinguishability [GM, Y]): Let {Yl"} and /TIJJ be two probability ensables; that is 
for every integer n and i , n" is a probability distribution on strings of length <poly(n). The ensembles 
{YL\} and {Tlj} are polynomial indistinguishable if the following holds: 

For every probabilistic polynomial-time algorithm A , every constant c , and sufficiently large n , the 
probability that A outputs 1 on n and a string selected according to II f equals up to the probabil- 
ity that .,4 outputs 1 on a string selected in nf. 

Definition 5 (Probabilistic Encryption and its Security [GM]): A probabilistic encryption scheme is a triplet 
of probabilistic polynomial-time algorithms denoted G E,D such that: 
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1) On input n (in unary representation) algorithm G outputs a key K of length n . 

2) On input a key K and a message M , algorithm E outputs an encryption denoted Eg (M ). 

3) On input a key K and an encrypted message Eg(M), algorithm D always outputs M. In case D is 
given an illegal key-encryption pair it may behave arbitrarily. 

The following security definition implies that both G and E can map an input to many (more than polynomi- 
ally many) possible outputs. Let M t and M 2 be two messages and A be a probabilistic polynomial-time 
machine which operates as follows. Algorithm A receives as input two encryptions Eg {M\) and Eg (M 2 ) in 
arbitrary order. In addition, algorithm A is given access to a black box implementing Eg (i.e. when sending 
q to the black box, A receives back as an answer a random encryption Eg (q ) ). Let Iljf i denote (he proba- 
bility that A outputs 1 when K is a key randomly chosen by G on input n, and the encryption of Mi was 
placed to the left of the encryption of M 2 on the input tape. Similarly, IljJ^ denotes the probability of output 
1 when Mz's encryption was placed to the left of Affs. An encryption scheme is secure if for every two 
messages Mj and M 2 and every probabilistic polynomial-time algorithm A, {Tl^^} and {Tl^^} 
polynomially-indistinguishable. 

Remark: The original definition of encryption security [GM] is for Public-Key Encryptions and thus access 
to a black box implementing Eg is redundent Above we gave a more general definition that suits both 
Private-Key and Public -Key encryptions. 
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1. Introduction 

In this note, we make two loosely related observations on Rabin's probabilistic primality test. 
The first remark gives a rather strange and provocative reason as to why is Rabin's test so good. 
It turns out that a single iteration fails with a non-negligible probability on a composite number of 
the form 4j+3 only if this number happens to be easy to split The second observation is much more 
fundamental because is it not restricted to primality testing: it has profound consequences for the 
entire field of probabilistic algorithms. There we ask the question: how good is Rabin's algorithm? 
Whenever one wishes to produce a uniformly distributed random probabilistic prime with a given 
bound on the error probability, it turns out that the size of the desired prime must be taken into 
account. 

2. A Brief Survey of Primality Testing 

How difficult is it to distinguish prime numbers from composite numbers ? This is perhaps the 
single most important problem in computational number theory. We do not attempt here an exhaus- 
tive review of its long history. Let us only mention some of the most outstanding modern steps. 
It has been known for several years that the problem of recognizing prime numbers belongs to P 
under the Extended Riemann's Hypothesis [Mi] and that it belongs to Co-RP [Rl, SS] and NP [P] 
without any assumptions. It can also be solved in almost polynomial time by a deterministic algo- 
rithm that runs for a number of steps in 0(m O(lo 8 ,o 8"O), where m is the size of the number to be tested 
[APR]. More recently, it was found to lie in RP [GK, AH], and therefore in ZPP [G] as well. 
In other words, this problem can be solved in probabilistic polynomial time by a Las Vegas [B] algo- 
rithm : whenever an answer is obtained, that answer is correct. 

From a theoretical point of view, the problem of primality testing is therefore solved (although it 
remains of interest to figure out whether or not it belongs to P without assumptions). However, the 
polynomial that gives the running time of [GK] is of the twelfth degree and [AH] does not improve 
on this, which makes these algorithms of little practical use. For very large numbers (several 
hundreds of decimal digits), this leaves us with Rabin's probabilistic test [Rl] as the best approach. 
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2. Supported in part by an NSERC postgraduate scholarship ; current address: M.I.T. 

A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPTO '86, LNCS 263, pp. 443-450, 1987. 
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Let pTob[Rabin(n) = verdict] denote the probability that one iteration of this algorithm on input n 
returns verdict, where verdict can either be "prime" or "composite" . The basic theorem about 
Rabin's test is that 

prob [Rabin(n) = "prime" \ n is indeed prime] = 1 

whereas 

pTob[Rabin(n) = "prime" | n is in fact composite] < l A . 

One is therefore certain that n is composite whenever any single run of Rabin(n) returns "compo- 
site". On the other hand, one can never be sure that n is a prime no matter how many runs of 
Rabin(n) have returned "prime" . This test is usually run in a loop as follows: 

function RepeatRabin(n,k) 
{ n is an odd integer to be tested for primality; 

k is a safety parameter discussed below } 
var i : integer, done : Boolean 
i <- 0 
repeat 

i «- i + 1 

done <— (Rabin(n) = "composite" ) 
until done or i > k 

if done then return "composite" {for sure} 
else return "prime" {probably (?)} . 

There is a trade-off in the choice of the parameter k above : the bigger it is, the more confident we 
are in the advent of a "prime" answer but the more time it takes to build up this confidence. This 
paper addresses two aspects of the question : just how confident in a number's primality can we be 
after running this test? 

3. Why is Rabin's Test so Good? 

This section only applies when n is of the form 4/+3. In this case, Rabin's test (which is then 
equivalent to Solovay-Strassen's [SS]) becomes quite simple. Let 

Z* = {i|lSj:<n and gcd(;t, n) = 1 } 
and R„ = { a e Z* | a^ a = ±1 (mod n) }. 

The basic theorem states that R„ = Z„ whenever n is a prime, whereas #R„ 5 #Z„/4 other- 
wise, still assuming that n = 3 (mod 4). Notice that both 1 and n-1 always belong to R„. This 
theorem is used naturally as follows : 

function Rabin(n) 
{ we assume that n is of the form 4/+3 } 
a <— random integer uniformly selected in 2..n-2 
if a e R„ then return ' 'prime ' 

else return "composite" . 

Whenever n is composite, the error probability of this procedure is clearly given by 
(#R r -2)/(n-3), so that elements of R„ others than 1 and n-l are known as false witnesses for n. 
From the basic theorem, we know that this error probability is always smaller than 25%. However, it 
is well known to be often much smaller. Monier gives an exact (but rather scaring) formula for this 
probability [Mo]; see also [Kr]. As a corollary of Monier's formula, the error probability never 
exceeds ^{n)/2 r ~ l - 2) / (n - 3), where r is the number of distinct prime factors of n and <Kn) = #Z„ 
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denotes Euler's function [HW], Despite this tightening of the bound on the error probability (at least 
when n has more than three distinct prime factors), it turns out that the latter is usually still much 
smaller. In other words, Rabin's test performs in practice much better than one might naively expect. 

For instance, 42,799 (= 127x337 ) admits only 880 false witnesses, compared to 
<t>(42,799)/4 = 10,584. Even better, Rabin's test never fails on integers of the form 3x5x7x1 lx ■ ■ • 
such as 15,015 : these admit no false witnesses at all. More impressively, it is enough to test deter- 
ministically for each a e {2,5,7,13} in order to decide primality without any failures up to 25xl0 9 
(using {2,3,5,7} still leaves one error in this range [PSW]). Although "high risk" numbers exist, 
such as n = 79,003 (=199x397) or 3,215,031,751 (= 151x751x28,351 ) with #R„ = #Z*/4 and 
(#R„-2)/ (n-3)~ 24.8%, these are not the rule (one can nonetheless prove, using Monier's formula, 
that every composite number of the form (12m+7)(24m+13) is such a high risk number, provided 
both 12m+7 and 24m+13 are prime). We address here the following bizarre question: why is Rabin's 
test so good ? 

In order to give some sort of answer, we define the following set : 

H„ = {b e Z* | b « R„ and {la e RJla 2 h b 2 (mod n)] }. 

Assume for the moment that n is not a prime power (i.e. not of the form p 1 " for some prime p and 
some integer m > 2). Theorem 1 states that each element of H„ is a handle that allows easy splitting 
of n (i.e. finding at least one non trivial factor of n) and that there are at least as many such handles 
as there are false witnesses. Our provocative interpretation states that it is only possible for a single 
iteration of Rabin's test to fail (i.e. declare n prime) with a non-negligible probability if it happens 
that n is easy to split (and hence obviously composite)! This result extends to every composite n of 
the form 4y+3 in an obvious way since prime powers are easy to split. In other words, there exists a 
simple probabilistic splitting algorithm whose running time is small on every composite number 
congruent to 3 modulo 4 on which Rabin's test is not extremely effective. More precisely, for any 
polynomial p , the splitting algorithm succeeds at finding a non trivial factor in expected polynomial 
time on all those composite integers n such that piob[Rabin{n) = "prime"] £ 1 I p{\n\) and 
n = 3 (mod 4), where \n\ denotes the size of n (in bits or in decimal digits). 

What happens when n is of the form 4/4-1 ? We leave this as an open question. Let us only 
point out that Rabin's test could actually work better on numbers congruent to 3 modulo 4 than on 
numbers congruent to 1 modulo 4. Indeed, among the 4842 odd composite integers smaller than 
25xl0 9 that count 2 as a false witness, only 1033 (=21%) are of the form 4/+3 [PSW]. 

Theorem 1 

(i) (Vfe e H„)[gcd(«, 1 + 6 (n " iy2 mod n) is a non trivial divisor of n] ; 

(ii) #H„ > #R„ . 
Proof 

Except for the exponents, all calculations in this proof are done modulo n. 
(i) Consider any b e H„ . Let a e R„ be such that a 2 = b 2 . Let x = i> (n " 1)/2 . We know 
that x * ±1 because b <? R„ . On the other hand, x 2 = fr"" 1 = {b 2 )^ 12 = {a 1 )^' 1 ^ = 
(• a (n-i)/2)2 = (+i) 2 = i. Therefore, x is a non trivial square root of 1, and this is 
enough to split n by the well-known formula gcd(n, l+x) [R2]. 
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(ii) For each a e R„ , define BJa) = { b e Z* \ a 2 = b 2 (mod n) }. Because n is com- 
posite and is not a prime power, B„(a) contains at least 4 elements [HW]. Consider 
e B„(a) such that b*+a. We have 

fc (»ri)/2 = (fe 2)(/M-iV4 ( because „ = 3 (mod 4) ) 

= (a 2)('H-lV4 = a (>H-l)/2 
= a x a {n ~ iyl = +a ( because a e R n ) . 

Therefore, M^ 72 = b^ xyx I b = ±o/f> * ±1 because b * ±a, hence e H„ . This 
shows that to each pair a, -a of elements of R„ corresponds at least two distinct ele- 
ments in H„ , completing the proof that H„ contains at least as many elements as R„ . 
Notice also that this reasoning is trivially extended to conclude, as mentioned earlier 
in this section, that #R n S <j>(n) / 2 r_1 , where r is the number of distinct prime factors 
of /t, because each quadratic residue admits in this case exactly 2 r distinct square 
roots [HW]. □ 

Notice that part (i) of this proof still holds when n = 1 (mod 4). Unfortunately, part (ii) fails 
miserably because R„ is then always empty, due to the fact that each square root of the square of a 
false witness is also a false witness. This fact may partly explain the observed phenomenon that 
Rabin's test seems to be less effective on these numbers. 

4. How Good is Rabin's Test? 

We must first ask the following question: what is Rabin's test good for? At least two answers 
come to mind: to decide on the primality of a given integer and to generate one or several primes 
(perhaps of a given size). We shall consider these two settings in turns, starting with the second. 

4.1. How to Generate Random Primes of a Given Size 

The generation of large primes drawn with a uniform distribution from the set of all primes of a 
given size is of crucial importance in cryptography [RSA]. Although it is possible to generate such 
primes with certainty using the algorithms of [APR, AH], their running time is currently too high to 
be used in practice. It is also possible to efficiently generate large certified primes by a variation on 
Pratt's non-deterministic algorithm [P] (generate the NP certificate and the resulting prime hand in 
hand) or by more sophisticated techniques [CQ], but the resulting distribution would not be uniform. 
Again, the most attractive solution in practice is to use Rabin's test as follows : 

function GenPrime(l,k) 
{ I is the size of the prime to be produced; 

k is a safety parameter discussed below } 
repeat 

n <r- randomly selected / digit odd integer 
until RepeatRabin(n, k) = ' 'prime' ' 
return n . 

The resulting output is a probabilistic prime in the sense that we can never be assured that it is 
indeed prime. We can nonetheless increase our confidence in the number's primality by increasing 
the safety parameter k. (What a shame that Rabin's algorithm can certify those cryptographically 
useless composite numbers whereas it can only give probabilistic information on the useful primes! 
— which is precisely why [GK, AH]'s algorithms are of such (as yet theoretical) interest.) 
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In order to use GenPrime for cryptographic purposes, it is important that its probability of 
returning a composite integer be estimated. The popular belief is that 



because each of the k rounds of RepeatRabin has a probability smaller than l A of failing on any given 
composite number. If we repeatedly use GenPrime to produce m distinct "primes", we therefore 
expect on the average that less than mx4~* of them will turn out to be composite. For instance, 
Knuth writes : "if we certified a billion different primes with such a procedure 4 , the expected number 
of mistakes would be less than ^1 " [Kn, page 379]. 

This assertion may be true 5 , but the reason is wrong. Indeed, it could only be true because 
prob[J?aZ>m(/t) = "prime"] is so much smaller than V* on most composite numbers. Should the error 
probability be exactly V* on every composite odd integer, the number of expected errors would be 
significantly larger than 10 9 x4 -23 = 10 -6 . 

From now on, let us assume we use a hypothetical test (that we shall continue to call Rabin) 
such that 

prob[i?a6m(/i) = "prime" I n is indeed prime] = 1 

as before, whereas 

ptob[Rabin(n) = ' 'prime' ' I n is in fact composite] = 'A {exactly) . 

It turns out that the error probability of each instantiation of GenPrime(l,k) depends on the size of 
the desired prime. As one can easily compute from Lemma 1 and Theorem 2 below, the expected 
number of errors exceeds /xlO -6 when A: = 25, provided 35 < / < 2xl0 13 . In particular, if one wanted 
one billion 1000-digit primes, the expected number of mistakes would exceed 0.001. To be more pro- 
vocative, if one had a need for one billion one-billion-digit primes, running Rabin's test a mere 25 
times per "prime" would result in an expected 1022 composite numbers among them. Worse still, 
each call to GenPrime(l0 15 ,25) has a roughly 50% chance of producing a composite number! 

In a nutshell, the reason for this confusion is that prob[XI Y] * prob[7IX] in general. In particu- 
lar, if X stand for "n is composite" and Y for "RepeatRabinin, k) returned "prime"", then it is true 
that prob[YIX] £ 4~ k , but this does not allow us to conclude that prob[XIY] < 4~ k as well. In order to 
get an estimate on prob[X\Y], which is the cryptographically relevant probability, it is necessary to 
have an a priori probability that n is prime before even the first call to Rabinin) is performed. For- 
tunately, the prime number theorem [HW] comes to the rescue, which is where the size of the desired 
prime comes into play : the a priori probability that a randomly selected odd /-digit integer be prime 
is roughly 2 1 la, where a = 2.3 stands for the natural logarithm of 10. More precisely, 

Lemma 1 

If n is uniformly, randomly selected among the odd /-digit integers, then 



prob[GenPrime(l, k) is composite] <4* 



probfn is prime] = 



(/-l)xce 



2 




4. Knuth does not explicitly say how he would use Rabin's test to certify those billion primes, except that 
he would run it "25-times-in-a-row" on each of them. It is our interpretation that he meant something along 
the lines of RepeatRabin(*,25). Of course, Knuth's assertion is vacuously true if taken literally: if the in- 
tegers thus certified are indeed "one billion primes", no mistakes are possible at all! 



448 



Proof 

Immediate from the prime number theorem [HW], which says that the number of primes 
not exceeding n is asymptotic to n/lnn. Notice that this approximation is fairly accurate 
even for reasonably small values of n. For instance, there are 50,847,478 primes smaller 
than 10 9 , whereas n/lnn would give about 48,254,942. □ 
Theorem 2 

Let p be the probability that a uniformly, randomly selected odd /-digit number is prime. 
The probability that GenPrime(l, k) returns a composite number is given by 

1 

1-p 

This is about (/a/2)x4 - * provided / is substantially smaller than 4* and about x h when 
l~ 2x4*/ a. 

Proof 

Let X and Y be as before. Clearly, prob[X] = 1-p and prob[T|X| = 4~ k (with our 
simplification to the effect that Rabin's test fails with probability exactly Va on composite 
numbers). We are interested in prob{X \ Y]. We thus use the formula 

which yields the theorem after routine algebraic manipulation because 
prob[y] = prob[X] x prob[T | X] + prob[not X] x prob[7 1 not X] 
= (l-p)x4 _i + pxl . □ 

Intuitively, the confidence we get in the number's primality from running Rabin's test several 
times must be weighted by the a priori overwhelming probability that it is composite if randomly 
chosen among the odd integers of a substantial size. For instance, if the size is 2x4*/ a, only about 1 
in 4* odd integers is prime. If a random odd integer of this size passes <t rounds of Rabin's test, it is 
just as likely that this occurred because we were lucky enough to hit a prime or unlucky enough to 
observe such behaviour on a composite number! 

4.2. How to Decide on the Primality of a Given Integer 

Suppose some odd integer n is given to you. You are to decide whether you think it is prime or 
not. You therefore run Rabin's test for some number k of rounds, and it never finds n to be compo- 
site. What can you tell from this ? 

One obviously wrong answer is: "this number is prime with probability 1-4 - *". This makes no 
sense because any given integer is either prime or not. 

The classic answer is : "I believe this number to be prime, and my error probability is at most 
4"* (in the sense that I expect to be wrong at most once every 4* such statements if you quizz me 
long enough)". This is wrong as well because no estimate on the error probability of "I believe this 



5. We think the assertion is true, but we have not yet actually carried out the calculation necessary to 

prove it. 
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number to be prime" can be made without an a priori estimate on the probability that the number is 
prime. If you know that it was chosen randomly and uniformly among the odd integers of some 
given size /, section 4.1 tells you that you can still achieve an error probability below 4~* but at the 
cost of running Rabin's test for an additional (roughly) log,,/ rounds. However, if you do not know 
where the number comes from, you are at a complete loss. 

Still, there is one thing you can say : "I believe this number to be prime, and if I am wrong I 
have observed a natural phenomenon whose probability of occurrence was bounded by 4~ k ". This 
statement is certainly weak, but we cannot think of anything stronger one can infer in general from 
running Rabin's test any number of times. 

As mentioned in the introduction, this observation is not restricted to primality testing. When- 
ever one runs any probabilistic algorithm that is not Las Vegas, care must be taken as to how to 
interpret the outcome. More implications of this issue are discussed in [BB]. 

Acknowledgements 

The first observation sprung from an idea attributed to Silvio Micali by Charles H. Bennett 
(private communication) to the effect that any algorithm for extracting square roots modulo a prime 
can be turned into a probabilistic algorithm to decide primality. The main reason why our result 
applies directly only to numbers of the form 4/+3 is that no efficient deterministic algorithm is known 
to extract square roots modulo a prime of the form 4/+1. 

No doubt the second observation has been made several times over by independant people, but 
we have not found any records of this. We wish to thank all those who showed interest for this work 
at the CRYPTO 86 meeting, in particular: Yvo Desmedt, Oded Goldreich, Gus Simmons and Moti 
Yung. Our thanks also go to Whitfield Diffie for granting us a full 12 minutes and 42 seconds to 
present these results. 

References 

[AH] Adleman, L. and M.-D. Huang, "Recognizing primes in random polynomial time", 
presented at CRYPTO 86, 1986. 

[APR] Adleman, L., C. Pomerance and R. Rumeley, "On distinguishing prime numbers from com- 
posite numbers", Annals of Mathematics, vol. 117, pp. 173-206, 1983. 

[B] Babai, L., "Monte Carlo algorithms in graph isomorphism testing", Rapport de Recherches 
du Departement de Mathematiques et de Statistiques, University de Montreal, D.M.S. #79- 
10, 1979. 

[BB] Brassard, G. and P. Bratley, Introduction to Algorithmics, Prentice-Hall, Englewood Cliffs, 
New Jersey, to appear. 

[CQ] Couvreur, C. and J. J. Quisquater, "An introduction to fast generation of large prime 

numbers", Philips Journal of Research, vol. 37, nos. 5/6, pp. 231-264, 1982. 
[G] Gill, J., "Computational complexity of probabilistic Turing machines", SIAM Journal on 

Computing, vol. 6, no. 4, pp. 675-695, 1977. 
[GK] Goldwasser, S. and J. Killian, "A provably correct and probably fast primality test", 

Proceedings of the 18th Annual ACM Symposium on the Theory of Computing, 1986. 
[HW] Hardy, G. H. and E. M. Wright, An Introduction to the Theory of Numbers, Fifth edition, 

Oxford Science Publications, 1979. 
[Kn] Knuth, D. E., The Art of Computer Programming, volume 2 : Seminumerical Algorithms, 

Second edition, Addison- Wesley, Reading, Massachusetts, 1981. 



450 



[Kr] Kranakis, E., Primality and Cryptography, Wiley-Teubner Series in Computer Science, 
1986. 

[Mi] Miller, G. L., "Riemann's hypothesis and tests for primality", Journal of Computer and 
System Sciences, vol. 13, pp. 300-317, 1976. 

[Mo] Monier, L., "Evaluation and comparison of two efficient probabilistic primality testing 
algorithms", Theoretical Computer Science, vol. 11, pp. 97-108, 1980. 

[PSW] Pomerance, C, J. L. Selfridge and S. Wagstaff, Jr., "The pseudoprimes to 25.10 9 ", 
Mathematics of Computation, vol. 35, no. 151, pp. 1003-1026, July 1980. 

[P] Pratt, V., "Every prime has a succinct certificate", SIAM Journal on Computing, pp. 214- 
220, 1975. 

[Rl] Rabin, M. O., "Probabilistic algorithms", in Algorithms and Their Complexity: Recent 
Results and New Directions, J. F. Traub (editor), Academic Press, New York, New York, 
pp. 21-39, 1976. 

[R2] Rabin, M. O., "Digitalized signatures and public-key functions as intractable as factoriza- 
tion", MIT/LCS/TR-212, 1979. 

[RSA] Rivest, R. L., A. Shamir and L. Adleman, "A method for obtaining digital signatures and 
public-key cryptosystems", Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978. 

[SS] Solovay, R. and V. Strassen, "A fast Monte Carlo test for primality", SIAM Journal on 
Computing, vol 6, pp. 84-85, 1977. 



PUBLIC KEY REGISTRATION 



Stephen M. Matyas 

Cryptography Competency Center 
International Business Machines Corporation 
9500 Godwin Drive 
Manassas. Virginia 22110 

ABSTRACT 

A procedure is described for securely initializing cryptographic 
variables in a large number of network terminals. Each terminal has a 
cryptographic facility which performs all necessary cryptographic 
functions. A key distribution center is established, and a public and 
secret key pair is generated for the key distribution center. Each 
terminal in the network is provided with a terminal identification 
known to the key distribution center. The terminal identification and 
the public key of the key distribution center are stored in the 
cryptographic facility of each terminal. A terminal initializer is 
designated for each terminal, and the terminal initializer is notified 
of two expiration times for the purpose of registering the terminal's 
cryptovar i ab le with the key distribution center. The c r yp to va r i ab le 
is generated by the terminal using its cryptographic facility. Prior 
to the first expiration time, a registration request is prepared and 
transmitted to the key distribution center. The registration request 
includes the terminal identification and the crypto va r i ab 1 e . When the 
key distribution center receives this request, the c r ypto va r i ab 1 e is 
temporarily registered and that fact is acknowledged to the requesting 
terminal. After the expiration of the second time, the registration 
is complete. Provisions are also made for invalidating a terminal 
identification if more than one registration is attempted for a given 
terminal identification or an intended registration was not made in 
time. 

BACKGROUND 

Historically, contributions in the area of public key 
distribution can be briefly traced, although a thorough treatment of 
the subject would naturally include the works of many others. The 
first known proposal for public key distribution involved placing the 
public key of each user in a public directory (i.e., key distribution 
center) along with the user's name and address [1]. Anyone wishing to 
communicate with a particular user would first contact the public 
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directory and request a copy of that user's public key. A second 
proposal simply called for a pair of devices wishing to communicate to 
exchange their public keys via the communication channel in advance of 
the communication session [2]. 

An improvement to the first method was made by distributing 
public keys from a key distribution center (KDC) wherein the messages 
containing the keying information were "signed" using the secret key 
of a public/secret key pair belonging to the KDC [3]. In advance, the 
public key of the KDC is distributed to each communicant in the system 
and this key is then used to validate the received signature and 
message containing the keying information. A similar approach was 
suggested wherein each communicant registers his public key and 
identifier with the KDC and, in turn, receives from the KDC a public 
key certificate, which is a message containing his public key and 
identifier that has been signed using the secret key of the KDC [ <* ] . 
In advance, the public key of the KDC is distributed to each 
communicant in the system, and this key is then used to validate 
received certificates. To communicate, individuals need only exchange 
and validate each other's public key certificate. Both approaches 
provide a path with integrity to distribute public keys previously 
registered with the KDC. 

Racal-Hilgo proposed a method of dynamic public key distribution 
which incorporates an anti-spoof ing procedure [51. Briefly, two 
parties who wish to communicate with a public key algorithm each 
generate a public and secret key pair. The respective public keys are 
exchanged via the communication channel. Upon receipt, each 
communicant calculates a prescribed function of the received public 
key. The communicants then contact each other via telephone and 
exchange the calculated values, which can then be verified by the 
originating communicants. For the check to work, the telephone 
channel itself must have integrity or the callers must recognize each 
other's voice. 

A similar anti-spoof ing technique which pre-dates the Racal-Milgo 
technique was proposed by Bell Telephone Laboratories [6]. With 
Bell's technique, the key validation information is exchanged via 
letter using the postal system rather than by using voice 
communications. Otherwise, the concept is the same. For the check to 
work, the postal system handling the mail must have integrity, 
otherwise the anti-spoof ing check itself could be spoofed. 
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From the foregoing, it is apparent that while advances in public 
key distribution techniques have been made, the problem of initially 
securely registering public keys with a key distribution center has 
not been appropriately dealt with. 

PUBLIC KEY REGISTRATION PROCEDURE 

It is the object of the public key registration procedure to 
initialize with security and integrity a large number of devices in an 
information handling system with cryptographic variables without 
requiring couriers to transport these cryptographic variables. For 
convenience, the devices in the network will be terminals. The 
procedure is general in that it permits the registration of both 
secret and nonsecret variables, although of primary interest is the 
registration of public keys of terminals. The public key registration 
process may also be thought of as part of the larger process of 
terminal initialization. 

Initialization of the terminal is performed by a designated 
representative called the terminal initializer. In all cases, the 
terminal initializer is a person who acts responsibly to carry out the 
steps of the terminal initialization procedure. The terminal 
initialization procedure comprises the steps of causing the terminal 

to generate and register one or more c r yp to va r i ab les with a designated 
key distribution center (KDC) and promptly reporting to the KDC any 
encountered problems. Typically, the terminal initializer will be an 
employee of the organization at the location where the terminal is 
physically installed, such as a terminal user, terminal owner, 
manager, or member of the local site security. In situations where a 
third party key distribution center is employed, the terminal 
initializer may be a locally appointed agent of the KDC. The terminal 
initializer has no responsibility for transporting keys, public or 
private, or for installing secret keys by entering them directly into 
a cryptographic device. Therefore, the terminal initializer is not a 
courier, and does not perform the functions of a courier. 

Each terminal in the network is provided with a cryptographic 
facility CCF) consisting of hardware and software components that 
perform the necessary cryptographic functions to support the required 
cryptographic operations. A subset of these functions support the 
terminal initialization procedure. Overall cryptographic security, 
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including that of the terminal initialization procedure) rests on an 
assumption of integrity of the CF, including stored keys and programs 
and associated supporting software, which is guaranteed by the design 
and by other physical security measures instituted. Prior to the 
terminal initialization procedure, the KDC generates a public key and 
secret key pair (PKkdc, SKkdc), which are the keys that operate with 
the public key algorithm. A unique nonsecret terminal identifier 
(TID) and the public key of the key distribution center (PKkdc) are 
assumed to have been installed in the CF of the terminal. The TID and 
PKkdc could be installed, for example, in microcode as part of the 
manufacturing process of the terminal. Alternatively, they could be 
installed at a central location and the terminals with the installed 
TID and PKkdc shipped to the final destination, or they could be 
installed by the terminal initializer, i.e., locally after the 
terminal has been installed. 

For each terminal which is to be initialized, as previously 
mentioned, the KDC designates a terminal initializer who is 
responsible for carrying out the necessary terminal initialization 
procedure at the device. Each terminal initializer is provided with a 
set of instructions outlining the terminal initialization procedure. 
The security of the procedure rests on the assumption that the 
terminal initializer will comply with the issued instructions and 
understands that failure to comply with these instructions may result 
in an adversary successfully registering a key with the key 
distribution center. The KDC also provides to the terminal 
initializer with two expiration dates, ordinarily separated by several 
days, which delimit periods of time in which certain prescribed steps 
within the terminal initialization procedure must be completed. The 
security of the procedure rests on the assumption that the terminal 
initializer receives notification of the two expiration dates and the 
terminal initialization instructions at some time well in advance of 
the expiration dates so that the steps of the procedure can be 
performed within the prescribed allotted time. 

According to the terminal initialization procedure, prior to the 
first expiration date, a c r yp to va r i ab 1 e can be temporarily registered 
at the KDC under the designated TID provided that the TID has not been 
invalidated and no other prior c r yp to va r i ab 1 e has been temporarily 
registered for the TID. In the discussion that follows, the 
c r y p t o va r i ab 1 e registered is a public key, and therefore this process 
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is called "public key registration." If a public key has already been 
registered under a given TID, an attempt to register a different 
public key under that same TID prior to the first expiration date will 
result in the TID being invalidated. After the first expiration date, 
the public key registration process is disabled at the KDC for that 
TID . 

Prior to the second expiration date, the KDC permits a TID to be 
invalidated without "proof" of the identity of the requestor. This 
process is called "ID invalidation without proof of identity." After 
the second expiration date, the process of ID invalidation without 
proof of identity is disabled~for that TID. and the temporary status 
of the registration is considered changed to that of a permanent 
reg i strat i on . 

After the second expiration date, the KDC permits a TID to be 
invalidated only after the requestor has been identified and 
authenticated and his or her authorization to invalidate a particular 
TID has been verified. This process is called "ID invalidation with 
proof of identity." 

After the second expiration date and upon request, the KDC will 
issue a PK certificate for any TID provided that the TID is valid and 
a public key has been registered for that TID. A PK certificate 
consists of a TID, public key, certificate expiration date, possibly 
other data, and digital signature produced on the foregoing data using 
the secret key of the KDC. One recommended method for calculating a 
signature is to first calculate an intermediate value or function of 
the message using a strong one-way cryptographic function. This 
intermediate value is then decrypted with the secret key SKkdc to 
produce the signature. If the TID is invalid or no public key has 
been registered, an appropriate response message is prepared on which 
a digital signature is calculated using the secret key of the KDC and 
the message and signature are returned to the requesting terminal. 

Under normal operating conditions, the terminal initialization 
procedure proceeds as follows. Well in advance of the first 
expiration date, a public key and secret key pair are generated at the 
terminal using an available key generation procedure. A public key 
registration request message containing the TID and public key of the 
terminal is sent to the KDC. Under normal conditions no adversary 
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will have interfered with the process, and therefore no public key 
will yet be temporarily registered under the designated TID. 
Therefore, the KDC temporarily registers the public key under the 
specified TID, prepares an appropriate response message containing the 
TID and public key on which a digital signature is calculated using 
the secret key of the KDC in the manner previously described, and the 
message and signature are returned to the requesting terminal. After 
authenticating the received message, the requesting device signals the 
terminal initializer that the desired public key has been temporarily 
registered at the KDC under the specified TID. (It is assumed that 
the hardware and software components involved with terminal 
initialization have integrity and that the terminal being initialized 
is the prescribed, genuine terminal.) The procedure for 

authenticating a signature is similar to the procedure for calculating 
a signature. The same intermediate one way function of the message, 
which was used in calculating the signature, is again calculated from 
the message. The received signature is then encrypted using the 
public key of the KDC (PKkdc) to recover a clear value of the one way 
function of the message, and the recovered one way function of the 
message is compared for equality with the calculated one way function 
of the message. If the comparison is favorable, the message and 
signature are accepted; otherwise, if the comparison is unfavorable, 
the message and signature are rejected. 

The protocol now requires a delay, and the terminal initializer 
must wait for the passage of the second expiration time in order that 
the KDC may assure that the temporarily registered public key is 
genuine; i.e., that it originated from the authorized, appointed 
terminal initializer. After the second expiration time, a 
terminal-initializer-initiated message containing the TID is sent to 
the KDC requesting "ID Verification" for that TID. Under normal 
conditions no adversary will have interfered with the process and 
therefore the specified TID will be valid and the previously 
temporarily registered public key will still be registered. But due 
to the expiration of the second time, the registration is now 
considered permanent. Therefore, the KDC prepares and returns a 
message to the requesting terminal specifying the registered public 
key for that TID. A digital signature is prepared on this message 
using SKkdc which allows the requesting terminal to authenticate the 
received message using the installed PKkdc in the manner previously 
described. This signals satisfactory completion of the terminal 
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initialization procedure and provides the necessary proof that the 
desired public key has been successfully initialized at the KDC. 
Alternatively, the KDC could return a public key certificate to the 
requesting terminal, and this would also serve as proof to the 
terminal that the public key had been registered. 

Once an authenticated response has been received from the KDC 
stating that a public key has been temporarily registered or that the 
TID has been invalidated, the worst that could happen is that an 
adversary could cause a genuine temporarily registered public key to 
be erased by invalidating the TID prior to the second expiration time. 
Hence, for practical purposes, a safe state is reached, and it is 
therefore possible with no loss in security to allow a protocol 
variation wherein the t e r m i na 1- i n i t i a 1 i ze r- i n i t i ated message sent to 
the KDC requesting "ID Verification" following the second expiration 
time can be replaced by a similar terminal-user-initiated message. 
This protocol variation has the advantage that ordinarily the terminal 
initializer can complete the terminal initialization procedure with 
only one terminal visit, prior to T 1 . The terminal user, who is 
notified by the terminal initializer of the terminal initialization 
status and the value of T2, completes the protocol after the second 
expiration time. Of course, the protocol variation is the same as the 
original protocol when the terminal initializer and the terminal user 
are the same person. 

In a network where it is convenient for the KDC to send messages 
to the terminals, such as in a store-and-f oruard electronic mail 
distribution system, yet another variation on the protocol is 
possible. The step following the second expiration time wherein a 
term i na 1 - i n i t i a 1 i ze r- i n i t i a t e d or t e r m i n a 1 -user- i n i t i a ted message is 
sent to the KDC requesting "ID Verification" is replaced by a step 
wherein the KDC automatically prepares and sends a response to the 
original requesting terminal. This response is just the same as that 
which would have been sent in the response to a request for "ID 
Verification" except here the response is triggered by reaching the 
second expiration time rather than upon receiving a request message. 
Otherwise, the protocol is the same. If no response is received at 
the terminal within a reasonable period of time after the second 
expiration time, the terminal initializer or the terminal user, 

depending on which protocol is used, reports this discrepancy to the 
KDC . 
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An expanded discussion of the above initialization procedure can 
be found in IBM TR 21.1000 [71. 
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ABSTRACT 

Cryptography can increase the security of computers and modem telecommuni- 
cation systems. Software viruses and hardware trapdoors are aspects of computer 
security. Based on a combination of these two aspects, an attack on computer secu- 
rity is presented. The complexity of finding such an attack is discussed. A new 
open problem is: can cryptography prevent such an attack. 

1. Introduction 

The problem of authenticity plays a very important role in the security of modem telecommuni- 
cation and computer systems. Cryptography can be used to control access to chips used in these sys- 
tems and to verify the authenticity of the commands and/or messages and sender. Today such chips 
are being introduced, e.g. Keyproms. Cryptography can evidently also protect the privacy of the 
information going around in these systems. In other words, the use of cryptography on each (VLSI) 
chip in the system increases the computer security, e.g., by protecting against eavesdropping and/or 
active eavesdropping on the bus of the computer. 

In this paper we show that the above solution is not enough to obtain secure computer systems. 
Let us first introduce the notion of software virus and briefly discuss the hardware aspects of com- 
puter security. 

A software virus is a subprogram that contains some undesired commands (e.g. time-bomb) and 
has the capability to copy itself into executables. As a consequence one can completely control a 
computer (or several computers) using such a software virus. For example one can give somebody a 
computer game containing such a software virus. The virus copies itself into all executables of the 
owner of the computer game, while he is playing. If the owner shares some of its executables with 
other users, the virus affects all executables of the others, and so finally affects the operating system. 

Let us briefly discuss some of the hardware aspects of computer security. PCB (printed circuit 
boards) are sometimes changed during maintenance and it is not excluded that the new PCB is inten- 
tionally slightly different from the previous. For example if a PCB controls the access to files, the 
new PCB may allow a trapdoor access. 

Before explaining our attack, we introduce (in Section 2) hardware trapdoors and similar 
hardware frauds (in chips), which we will call hardware viruses. The name of this term will be clear 
at the end of this paper. Our attack is presented in Section 3. The attack and hardware viruses would 

t This research started while the author was aangesteld navorser NFWO at the Katholieke Universiteit Leuven 
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not be important if they would be easy to detect. In Section 4 we prove that the computational com- 
plexity of proving that no hardware virus exists in a chip is at least NP-hard. In Section 5 the 
dangers of such hardware viruses are briefly discussed, and more advanced attacks are overviewed in 
Section 6. Section 7 is related to a new open problem in cryptography. 

2. A hardware virus 

For a chip it is possible that non-specified commands exist. These non-specified commands may 
be (or were) used for test purposes of the chip, or will be used in new versions of the chip. However 
it is also possible that these non-specified commands allow the chip to act completely differently than 
specified, e.g., block (halt) itself, or destroy itself, or affect all following commands and/or 
inputs/outputs and performance of the chip. It is possible that these non-specified commands are only 
known by the VLSI designer, who put them in for fun, or other reasons. Let us now briefly discuss 
some variations to implement these fraudulent non-specified commands. The non-specified commands 
can be given using the pins used for commands, or can be introduced through the input. In the last 
case a 64 bit pattern is given at the input (e.g. using other non-command pins). This 64 bit pattern is 
recognized by the chip as being the start sequence of non-specified commands. Evidently in a VLSI 
chip which also performs encryption, this pattern can be signed, and/or hardware trapdoors can be 
used to bypass the encryption part. If a (VLSI) chip contains such fraudulent non-specified com- 
mands, we will call it affected by a hardware virus. We remark that the effect of the hardware virus 
can be much worse than that of a simple trapdoor access to the chip. Another variant is a hardware 
virus which is activated at random by the chip itself, for example if during the calculations in the 
chip some pattern of 46 bits appears, the chip starts to do crazy things. The length of this pattern can 
be chosen by taking into consideration: the speed of the chip and the "desired" frequency (or proba- 
bility) of the fraudulent effect of the virus. In this case no external command is in fact necessary. 
The chip performs however differently than specified. We will also say in this case that the chip is 
affected by a hardware virus. Instead of the virus being activated at a random moment, the time can 
be used to trigger the effect of the virus. 

It is evident that such a virus will be easy to detect if the complexity of the VLSI chip is not 
high (e.g. a lot of repetition). In other words in such cases the designer will probably not introduce a 
hardware virus. Remark that the harder it is to reverse engineer a chip, the more difficult it becomes 
to find the hardware virus. The complexity of finding a hardware virus is discussed in Section 4. 

A solution against hardware viruses is to make only chips which are straightforward to reverse 
engineer. However this allows other companies to copy the bright ideas (e.g. new faster algorithms) 
and use them for their own purposes in different applications. So this solution has important draw- 
backs. Another approach to limit the probability that the designer introduces a hardware virus is a 
clearance procedure to check the designer. This solution never excludes the possibility of fraud. A 
double check method can be used by having two designers instead of one. 

In the next section we explain that the last two methods are not sufficient. 

3. Software viruses creating hardware viruses 

In previous section it was the designer who intentionally introduced the hardware virus in the 
chip. In this section we discuss how hardware viruses can be introduced by a CAD (Computer Aided 
Design) program, without the knowledge of the VLSI designer and/or without the knowledge of the 
CAD designer. 
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CAD is more and more used to design complex VLSI chips. CAD being (mainly) software 
suffers from all its inconveniences. In particular a software virus can exist in a CAD system. An 
awful case of a software virus living in a CAD program is when the virus contains information to 
create a hardware virus. Let us briefly explain how this works. 

Chips contain easily detectable patterns as transistors. These patterns (and others) are used by 
the software virus to first check if it is in a CAD program. Once confirmed a flag can be set to avoid 
rechecking and losing time. Then during the execution of the CAD to make the VLSI chip, the 
software virus checks the complexity of the chip. So it checks if the same block is used over and 
over again. If this is not the case and if the software virus concludes that the complexity of the chip 
is high, it introduces a hardware virus. 

The hardware viruses introduced by a software virus through a CAD can be very trivial ones. 
An example of the effect of the hardware virus is to create some electrical shortcut after a fixed time 
of use of the chip. More complicated hardware viruses can be introduced, using more advanced 
software viruses. These software viruses can use artificial intelligence and/or software libraries. This 
last idea is explained in more detail in Section 6. 

We remember that a software virus can be introduced through a game. It is possible that the 
software virus was injected in the CAD on the computer of the designers of the CAD, or at the com- 
puter of the users of it. As a consequence it is very difficult to find it in the CAD, certainly if the 
length of CAD programs is taken into consideration. Antibody programs (detecting and removing 
software viruses) can be ineffective, if the virus is introduced immediately after the antibody program 
checked the CAD program. 

4. Complexity of finding hardware viruses 

A hardware virus is only dangerous if it is very hard to detect it. Let us focus on the problem of 
proving that no hardware virus exists in a chip. In order to prove that this problem is NP-hard, we 
restrict ourselves to the chips which are nothing else than a Boolean function. Proving that no 
hardware virus exists in this case means proving that for all possible inputs, the Boolean function / 
corresponding with the specs is equal to the Boolean function g corresponding with the chip. If for 
all inputs / = g, then there is no hardware virus. This problem is the complement of the satisfiability 
problem, which is NP-complete. This is trivial to understand by considering the function h, which is 
defined as the exclusive or of / and g. So the problem is CO-NP-complete. If one drops the restric- 
tion on the chips and considers more general cases than Boolean functions (e.g. with feedback) we 
can say that the problem of proving that no hardware virus is in the chip is at least NP-hard. In 
order to make the proof correct from a mathematical point of view, we allow chips with enormous 
number of pins, transistors and so on. 

We remark that the above reasoning is very similar to a well known problem in testing of VLSI 
chips. 

5. Dangers of hardware viruses 

In order to estimate the dangers and the impact of software viruses making hardware viruses, it 
is very important to remember that chips are not only used in computers. Chips are used today in: 
telecommunication systems, instruments, controllers (e.g. controlling the temperature of a process in a 
chemical plant), consumer electronics, security systems (e.g. detecting burglary), medical electronics, 
industrial electronics (as in robots), cameras, cars, trains, aviation, military applications, space and so 
on. It is not difficult to imagine the consequences of hardware viruses in these applications, certainly 



462 



if the hardware virus is more complex (see Section 6). 

It is evident that such hardware viruses (certainly when introduced without the knowledge of the 
chip designer, see Section 3) affect not only the user, the consumer, the industry using the chips, but 
also the whole economy based on chip technology and national security. 

It is even worse if one takes into consideration that the modern methods of fault tolerant com- 
puting are not adequate to protect against such an attack. Indeed the hardware virus in one chip can 
trigger other ones, and/or the event can be planned from the moment of the design of the virus. 

If license fees have to be paid for chips made by the CAD program, the above attack can be 
used in a more positive way. 

6. More advanced and variant CAD attacks 

If artificial intelligence continues to develop, it is not excluded that in the future more advanced 
attacks will become possible. Indeed the software virus in the CAD could also test what kind of chip 
is under design. Once it figures out what the purpose of the chip is, it selects an adequate hardware 
virus from a secret software library. If it is for example a disk controller, the hardware virus can be 
designed to destroy intentionally information on the disk. In the case of a microprocessor (or other 
part of a computer) the hardware virus contains information to start on the computer (which is under 
development) a software virus. The opinion of the author related to the last example is that it will 
only be realistic if VLSI chips contain many more transistors. 

Gate arrays are very frequently used in industry. The design is done by the client (some com- 
pany). The translation from gates to transistors and optimization of these gates is done by another 
company. After delivery it is even difficult for the designer to reverse engineer the chip. Here a 
hardware virus can be introduced at several levels: gate level and transistor level. In general it is pos- 
sible that the introduction of the virus is done just before processing the chip. There are enough steps 
in the process of making a chip (and certainly a gate array), where a hardware virus can be intro- 
duced by a CAD or other program. 

7. Open problem 

A few years ago several chips were used to implement a cryptographic algorithm. Recently one 
chip became sufficient. Now cryptographic algorithms can be a part of a VLSI chip. During this 
process of miniaturization, cryptography is beginning to be used to check access to chips (see Section 
1). In other words enlarging its application domain from protecting the system (e.g. against eaves- 
dropping) to protecting parts of the system (access to chips). An open problem is if cryptography can 
be used on a sub-chip level in order to make virus-free chips, or prove that the chips are virus-free, 
without affecting the privacy of the chip design, in other words without making chips easily reverse 
engineerable. From this point of view we can wonder (/ there is an ultimate use of cryptography. 

The author thinks that it will be very difficult for modem cryptography to protect against the 
described attack, without imposing severe restrictions on the chip design methods. This personal idea 
finds its grounds in the fact that proving that a chip is virus-free is NP-hard (see Section 4). 

8. Conclusions 

The problem of hardware viruses introduced by a software virus coming from a computer game 
through a CAD program affects several aspects of computer security and security in general. It is 
also an interesting open problem if cryptography can move into the sub-chip level, or if its use is 
limited to the system and chip level. 
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Nevertheless the author did not really used such an attack against a CAD program, several argu- 
ments are given related to the feasibility of such an attack. It would be worth to construct such a 
software virus in order to obtain more information about practical problems and related aspects. 
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ABSTRACTS : 



At first glance, the smart card looks like an improvement of the 
traditional credit card. 

But the smart card is a multi-purpose and tamper-free security devi- 
ce. And behind a standardized interface, the built-in electronics 
may evolve, in memory size and in processing power. This evolution, 
while resulting from economic considerations, is in tune with an en- 
hancement of both physical and logical security. 

Some mechanisms in key-carrier cards are described, thus giving a 
taste of the state of the art in card operating systems. The 
underlying reality is an invasion of our lifetime by cryptology and 
computers. This invasion will have a large influence on security in 
various fields of applications, not only banking operations, but 
also data processing, information systems, and communication 
networks . 
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INTRODUCTION : 



Including magnetic stripes and embossed areas, a banking IC card 
looks like a gadget plastic credit card. But, embedded in the thick- 
ness of its plastics, there are one or more integratedcircuits desi- 
gned to perform both processing and menory functions • 
Magnetic stripes and embossed areas, traditional technologies of 
credit cards, are deprived of any processing power, with only memo- 
ry functions ; the relevant standards specify every details without 
any degree of freedom for further evolutions. 

An IC card is not defined by IC number, position, or performance. On 
actual cards, the interchanges with the outside are conducted 
through electrical contacts ensuring a galvanic continuity between 
built-in electronics and an external interface device. Other types 
of IC cards may be developed in order to avoid contacts. But an IC 
card is and will be defined through a standardized interface taking 
into account its processing power . 

Trade-offs between costs and performances are evidently related to a 
current state of the art and to current needs of the applications. 
Technological evolutions deal with power consumption and integration 
scales, resulting in a tremendous increasement of both memory size 
and processing power. Behind a standardized interface, built-in 
electronics may evolve while terminals remain unchanged. 

Reductions in both engraving size and power consumption will compli- 
cate physical investigation of processors dedicated to smart cards, 
the famous Self-Programming One-chip Microprocessors, abbreviated as 
SPOMs : existing SPOMs are today tamper-free, and we don't know any 
successful violation of their transaction memory. 

Additions in processing power (CPU and RAM) and in operating systems 
(ROM) will complexify the logical security, and allow the use of mo- 
re complex and more various cryptographic algorithms. While unpu- 
blished and proprietary, the algorithm named Telepass2, and used in 
French bank cards, has been successfully evaluated by a notoriously 
specialized agency. Current SPOMs are already able to implement very 
secure algorithms. 



466 



In semi-conductor industry, technological trends are in tune with 
security. This exciting situation is very new! And at ISO level, the 
general approach of this interface takes into account these poten- 
tial evolutions. 



CONTACT LOCATION AND ASSIGNMENT 



In existing ISO standards, credit card surfaces had been partially 
reserved. It seems impossible to locate contacts on magnetic stripes 
or in embossed zones. Marketing considerations have been expressed 
in the US so as to share the front part of a credit card between the 
issuing bank and the credit card company. Moreover, Japan has choo- 
ses a national magnetic stripe position on card front side, in disa- 
greement with ISO standards. The sum of these constraints explains 
the difficulties met by ISO in its international quest for an agree- 
ment on contact location. 

ISO has reached a first basic agreement on contacts : number, mini- 
mum dimensions, relative position and assignment. On existing smart 
cards, the outside accesses the built-in electronics through six 
electrical contacts. With respect to GND (ground) as a reference 
voltage, the outside must provide VCC (supply voltage), VPP pro- 
gramming voltage), CLK (clocking signal), and RST (reset signal) 
with suitable signals in order to exchange information on I/O 
( input /output ) . Two spare contacts, named RFU, are reserved for fu- 
ture use (see figure 1). This agreement protects the existing dedi- 
cated chips and the existing ways to package electronics in the 
cards . 

Nevertheless, two 8-contact positions are yet described in the DIS 
(Draft International Standard, now under ballot). One beneath the 
other, the set of sixteen contacts forms a regular pattern located 
relatively to a corner, in such a way that mixt contactors are easy 
to design and to produce. In France, mixt contactors are being in- 
serted in public telephone booths as well as in interface devices to 
be connected to Minitels. Extensively used in France, the upper 
position is mechanically more reliable : a card is more resistant to 
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bending with a chip closer to a corner. But the lower position is 
more in tune with Japanese constraints, and allows to locate the 
contacts on the back side. While being the traditional one, the 
upper position is said to be "transitional" in the ISO documents. 

The standardization aims at an international agreement on a complete 
and unambiguous specification of this interface, not only : physical 
characteristics, contact location and assignment, but also : elec- 
trical signals, answer to reset, exchange protocols, (now also at a 
DIS stage) and interindustry requirements (now under study) . ISO as- 
signed in 1981 these general tasks to subcommittee SC17 "Identifica- 
tion Cards" in technical committee TC 97 "Information Systems". 

In 1985, ISO entrusted TC68 "Banking" with two new specific work 
items on security and data contents related to banking operations. 
The adoption of these new work items was feeled so important that it 
produced a rearrangement of TC68 with creation of a new subcommittee 
SC6 dealing with "Financial transaction cards, related media and 
operations". 



SOME TECHNOLOGICAL ASPECTS : 



As a result of a transaction, the card delivers information (stored 
data, computation results), and/or modifies its content (data stora- 
ge, event memorization). The built-in electronics always include an 
electrically Progranable Bead Only Memory (PBOM). Each PBOM cell 
originally in state "1 " may be turned to state "0" by an electrical 
process under control of the built-in electronics. This PEOM con- 
tains the transaction memory , the content of which evolves during 
card life. 

Two major technologies are currently producing PROM components : 
bipolar and HOS (metal oxyde semiconductor). 

Though quicker, bipolar logic is more power consuming and less easy 
to integrate than MOS logic. But more important : the bipolar 
writing procesa destroys a part of the memory cell, in such a way 
that bipolar PEOMs are optically readable (see figure 2)!! 
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Hethertheless , at the outbreak of IC cards, bipolar technology has 
been fairly considered : the reason was the irreversibility of the 
writing procesa. 

No physical method is known to investigate MOS PROMs so as to di- 
rectly vizualize a cell content without using the internal buses : 
the MOS writing process is reversible ! And the existing MOS PROMs* 
can be erased either by ionizing radiations, such as UV-light or 
X-rays, or by another electrical process. All existing cards are now 
using MOS components which are cheaper, more secure, and allow to 
match microprocessor technology with a PROM memory. 

The technological controversy lies now in the comparison between UV- 
erasable PROM, named EPROM, used as write only memory, and electri- 
cally erasable PROM, named EEPROM, and so rewritable. When widely 
available, EEPROMs are feeled to be more flexible than EPROMs, but 
with much less capacity for a given die size. Actually, BEPROM 
technology is less mature and more expensive. 

Other parallel technological evolutions are in progress : 
- scales of integration move from a range from 4 to 3 K to a range 



from 2 to 1 Ji ; 

- uprising of CMOS and HC MOS considerably reduces power consumption 
in the cards. 

These reductions in engraving scale and in power consumption will 
increase considerably the difficulties in investigating the PROM 
contents. And to close the general considerations, let us remember a 
generally agreed limitation : to obtain a reliable card, the size of 
the chip must not exceed 20 mm . 



A FAMILY OF IC CARDS : 

Under control of the built-in electronics, the content of the 
transaction memory evolves during card life. Depending on the in- 
creasing complexity of this electronics, three types of IC cards are 
currently in use (see figure 3) : 
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Memory cards containing only a transaction memory with very sim- 
ple writing protections. 

Logical cards containing a transaction memory and a logic array 
of gates : this logic array of gates tests a confidential code be- 
fore giving access. 

- Smart cards containing a programmed microprocessor controlling 
itself all the accesses to the transaction memory. 

In France, these three types of IC cards are illustrated by : 

- Memory cards : 40-unit or 120-unit prepayed "Telecartes" anony- 
mously used in public telephone booths ; 

- Logic cards : "Telecommunications" identifying their bearer in or- 
der to charge phone calls on a number ; 

- Smart cards : bank cards and key-carrier cards which may also be 
used in public telephone booths ! 

It is inefficient to search for relations between applications and 
types of cards : the three types are in use in the telephone system, 
while bank cards are designed such as to easily extend their use in 
various services. 

- The simpler cards are specific to only one purpose, and it is ra- 
ther difficult to share a chip production between several applica- 
tions . 

- On the other hand, the smart card is essentially a multi-purpose 
device. And the chips are programmed by mask during the manufactu- 
ring process. There is no difficulty to share a chip production. The 
development of a new mask is easy, and the same line produces chips, 
whatever the mask be ! 

This paper is devoted to smart cards including a specific integrated 
circuit, named SPOH, a microcomputer which merges on the same chip a 
PROM memory and a microprocessor controlling itself all the accesses 
to the PROM memory. 
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A HEW CHIP : THE SPOM 



Including two chips (Fairchild 3870 microprocessor + Intel 2716 
EPEOM memory), the first smart cards were produced in 1979 after a 
strong international cooperation between MOTOROLA Inc. and CII 
HONEYWELL BULL. 

This stage of a two-chip card is essential in order to prove the 
feasability and to convince potential users to start experiments. 
These devices played also a prominent part in the development of the 
various other elements of the systems using smart cards in order to 
initiate applications. 

Economical considerations led to merge PROM and microprocessor on 
the same ship. And the cooperation between BULL and MOTOROLA conti- 
nued by the studies of a new microprocessor dedicated for smart 
cards. Such a microprocessor must be able to execute an internal 
routine which writes in its transaction memory. A new architecture 
has been invented to manage registers on the internal buses in such 
a way that the processor may continue its control while holding the 
right address and the right content on the buses towards the PROM. 
Such microprocessors are named : Self Programming One-Chip Micropro- 
cessors, abbreviated as "SPOMs" (see figure 4). 

Since 1981, SP0M01 is produced by MOTOROLA Inc. in East Kilbride 
(Scotland, United Kingdom) ; since 1985, SP0M02 is produced by 
THOMSON EUROTECHNIQUE in le Rousset (Provence, Prance). Trade-offs 
between costs and performances are largely indebted to the know-how 
gathered from the first two-chip cards. Both in nMOS technology, 
they are about 17 mm i in size. BULL CP8 and PHILIPS are currently 
manufacturing cards with such SPOMs. Very recently, a prototype (50 
mm ) comes from HITACHI, referred as 65901, while SP0M03 and 04 were 
announced by MOTOROLA and THOMSON. 
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In addition to PROM memory, SPOMs contain also ROM written by mask 
during chip manufacturing process and RAM to store temporary re- 
sults. Let us notice on SP0M02 that a cell of RAM is roughly ten ti- 
mes larger than one of EPROM, and a cell of EPROM twice larger than 
one of ROM (see figure 5). 

Before cutting the wafers on SP0MO2 production lines, a 512-byte in- 
ternal routine is activated through a seventh test-contact. Each va- 
lidated component receives various information : locks, codes, and a 
chip serial number, while nothing is written in rejected compo- 
nents. The test-contact is then systematically destroyed, thus defi- 
nitively disabling invalid components. As a matter of fact, only the 
self-testing routine may write the witness indicators tested by the 
card before execution of any command during a transaction with the 
card . 



ADDITIONAL SECURITY FEATURES : 



Absolute physical security does not exist, no more for smart cards 
than for any other computing device. System designers must consider 
potential consequences of violations. Secret keys in a system must 
be as as diversified as possible, and in a user card, tied to the 
chip serial number. A violation then results in an attack against 
only one user and does not endanger the whole system, thus reducing 
the potential benefits from fraud. These aspects of logical security 
are strongly related to cryptology. 
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In key-carrier cards as well as in bank cards using existing SPOMs, 
the transaction memory is organized in 32-bit words. During card is- 
sue, an issuing block is written in a dedicated 6-word zone. This 
block stores the secret distribution key on four 32-bit words. Each 
card issuer owns his secret cryptographic function. He uses it to 
compute or to recompute a unique secret distribution key from each 
chip serial number. This key, unique for each card, must be correc- 
tly used hereafter to control various operations, such as writing 
new secret words and delivering new authorizations. Very different 
from a confidential code, this cryptographic key is used as a para- 
meter in a cryptographic computation prescribed in internal routines 
and executed by the card itself. 

The card issuer may remotely and securily authenticate a card : a 
random value is sent to each calling card which must answer both its 
chip serial number and the result of a computation using the distri- 
bution key. Prom the chip serial number, the issuer reconstructs the 
distribution key and then the computation result, thus authentica- 
ting the card. 

The card issuer may also identify the card user by including a user 
confidential code during the authentication process : the code given 
locally modifies the random value sent by the issuer. In a first so- 
lution, only the card knows the code : the card modifies the inco- 
ming value by an internal code, and the internal modification must 
cancel the external one. In a second solution, the issuer modifies 
the random value before sending it to the user : the external modi- 
fication must then restore the initial value. 

In addition to these functions, when the cryptographic computation 
in the card reverses an external cryptographic computation performed 
by the issuer, the card may identify its issuer before remotely exe- 
cuting its directives. At the end of a cryptographic computation, 
the card tests the result : for example, when the 64-bit result con- 
sists of two identical 32-bit fields, the card assumes that only its 
issuer might induce such a result. So the issuer is now the real 
master of the silicon, because each SPOM may securily and remotely 
identify its master - 
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KEYS, AUTHORIZATIONS, ENTITLEMENTS : 

First developed in a television environment in order to access 
broadcast information such as picture, sound and data, the key- 
carrier cards are deprived of any banking functionality. The condi- 
tional access method may be general, while the scrambling method 
clearly depends upon the nature and the coding of the service compo- 
nents. The key-carrier cards are usable in access control to a large 
range of services and resources, including terminals, network gates, 
databases, computers, and even buildings. 

Materializing entitlements, these cards are issued and managed by 
card issuers who are their real owners. The card issuer must be 
clearly distinguished from both the bearer and the service provi- 
der ; the bearer uses the card to recover control words, but cannot 
alter the card, nor get a copy of recorded keys ; the service provi- 
der checks entitlements by verifying their validity, by storing a 
debit, by consuming a credit ; the card issuer manages entitlement 
in his cards by delivering new entitlements, by clearing debits, by 
giving credits. 

The key-carrier cards store blocks of authorization, each one con- 
sisting of three fields : an identif icator , a status and a secret 
key. Each operation on an entitlement, as well checking as manage- 
ment, results from a transaction with the card. During this tran- 
saction, a command asks for a cryptographic computation with 
incoming data consisting of three fields : an identif icator , a pa- 
rameter, and a cryptogram. 

During an entitlement checking transaction , the identif icator in the 
incoming data must correspond to the identif icator of an authoriza- 
tion in the card, the status of which must comply with indications 
given in the parameter ; then the card reconstructs the control word 
by a cryptographic computation using the secret key of the authori- 
zation. The outgoing data in the command asking for the result is a 
control word which is either sent back to the controller as a wit- 
ness, or used locally to descramble subsequent service components. 



474 



During an entitlement management transaction , the card uses the dis- 
tribution key, unique to each card, to execute a cryptographic com- 
putation. The card tests for a redundancy in the 64-bit result which 
must consist of two identical 32-bit fields. The card, having iden- 
tified the voice of its master, executes the directive instructed by 
this field . 

Depending on the way the card and the system manage the status of 
the authorizations, there are various entitlements : -fixed and 
renewable subscriptions, -prepayed special events, -pay-per-views 
either in a prepayed credit or with a limited debit, and 
-consumptions of tokens in activable blocks. 



FOUR TYPES OF AUTHORIZATIONS : 

The status of a basic authorization consists of an initial number, 
coding a starting date, and a gap, coding a duration. The parameter 
is an operation number, coding a current date. Before reconstructing 
a control word, the card verifies that the current date lies in the 
subscription period. The status of such an authorization is fixed 
and can only be verified. This first type of authorization is a fi- 
xed subscription. 

The status of an authorization with controlled sessions consists 
of an initial number, a gap, a limit and the content of a zone re- 
served for sessions. Each session is defined by a shift from the 
initial number and a width. The sessions must lie in the main period 
and the sum of their widths must not exceed the limit. Before compu- 
ting a control word, the card verifies that the operation number co- 
ded in the parameter lies in a session. Only a successful entitle- 
ment management transaction may modify the status of such an autho- 
rization by opening a new session (shift and width). 

Depending on the way the system manages the numbers, this second 
type of authorization is used to access prepayed special events. It 
may also be used like a renewable susbcription : the renewal is ob- 
tained by opening a new session. For example, depending on the value 
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of the session width, when numbers are coding weeks, the subscrip- 
tion is either on a monthly basis with width = four, or on a quater- 
ly basis with width = thirteen. 

The status of an authorisation with impulse sessions consists also 
of an initial number, a gap, a limit, and the content of a zone re- 
served for sessions. Before reconstructing a control word, the card 
verifies that the operation number coded in the parameter lies in a 
session. In the absence of suitable session, the card, after an ex- 
plicit agreement of the user, opens directly a new session (a shift 
and a width) according to indications given by the parameter as long 
as the sum of the widths does not exceed the limit. 

This third type of authorization is a pay-per-view working either on 
an additive basis (when the limit is an authorized debit), or on a 
substractive basis (when the limit is a prepayed credit), depending 
on the payment . 

The status of an authorization for consumption consists of an ini- 
tial number, a gap, and the content of a reserved zone divided into 
blocks of tokens. Only a successful entitlement management transac- 
tion may open new blocks. Before reconstructing a control word 
during an entitlement checking transaction, the card consumes the 
amount of tokens indicated by the parameter. This fourth type of au- 
thorization is based on a consumption of tokens in provisions selec- 
tively activable- 



THE EXISTING KEY-CARRIER CARDS : KCQ AHD KC1 

The first version of key-carrier cards, KCO was developed as a basic 
tool in pay-TV systems. The MOTOROLA SPOM with such a mask is avai- 
lable since 1983- And these specifications were used to test the 
THOMSON SPOM in 1 985. KCO , now available on both SPOMs, includes the 
first three types of authorization : subscription and both sessions. 
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An unpublished cryptographic algorithm, named Twisted Double Fields 
and described in about 200 bytes in the mask, reverses another ex- 
panding external algorithm used by the card issuer to compute enti- 
tlement management messages, and by the service provider to compute 
entitlement checking messages. In the card, a 61 -bit result (for 
example, a control word) is computed from a 23-bit incoming parame- 
ter, a 127-bit incoming cryptogram, and a 127-bit internal secret 
key. 

The second version of key-carrier cards, KC1, developed on the 
THOMSON SPOM, extends KCO functionalities, taking thus advantage of 
the additional ROM in SP0M02. KC1 introduces the fourth type of au- 
thorization with consumption of tokens. KC 1 includes also a crypto- 
writing mechanism : the redundant result of a cryptographic compu- 
tation using the distribution key indicates the address and the 
content of the 32-bit word to be written. 

An unpublished cryptographic permutation, named Videopass, is 
described on about 200 byte3 in the mask of KC1 which may a-priori 
execute the algorithm in both directions but locks restrict user 
cards to one direction. A 64-bit result is computed from an incoming 
64-bit cryptogram, an either incoming (a parameter) or internal (a 
non-secret word) 32-bit argument, and a 96-bit internal secret key. 

But, more important yet, these chips are specialised by locks writ- 
ten during card issue. Most of the cards are restricted to one 
direction of the cryptographic computation, while some cards keep 
both directions. To reverse a computation performed by a user card, 
the master card must have stored the same secret key written in the 
reverse order. 

Thus, the cryptographic algorithm is dissymetrised : 

- the user cards compute certificates on incoming redundant data, 
and the master cards can only verify their genuiness by recovering 
the redundancy in the result, without being able to forge certi- 
ficates . 

- the master cards securely produce cryptograms of control words and 
entitlement management messages : the user cards reconstruct the 
control word or executes the directives given by the master, without 
being able to forge management messages. 
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CONCLUSION : 



This approach to smart cards, and more specifically to key-carrier 
cards, has deliberately excluded the banking purposes, in order to 
avoid the credit card syndrom. But in the existing banking smart 
cards, many key-carrier card concepts have been introduced : dis- 
tribution key, authentication, identification, cryptowriting , . . . 
summarized by the user/master mechanism. 

The cryptographic computation uses rather proprietary algorithms. 
But a new version of key-carrier cards, under development by 
PHILIPS, is implementing the DES. And future chips, with a more 
powerful CPU and at least four times the actual amount of BAM, will 
implement public key algorithms. The best way to protect the secret 
parameters of a public key signature scheme seems to store them in a 
user-friend and tamper-free device containing a SPOM, with high se- 
curity features. 
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FIGURE 2a FIGURE 2b 

Let us compare the destroyed fuses on the bipolar memory (fig 2a) 
with the regular pattern of the nMOS memory (fig 2b). 




FIGURE 3 
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THOMAS - A COMPLETE SINGLE CHIP RSA DEVICE 



by Dr. Gordon Rankine, 
RAANND SYSTEMS Ltd., 
Livingston, EH54 9BJ, 
Scotland, Great Britain 

Synopsis - This paper examines a novel implementation of a 512-bit 
modulus exponentiator for applications in RSA key management 
environments . 

The device, known by the internal project code THOMAS, is a complete 
single chip RSA implementation. No other, device is necessary to 
compute the RSA components, other than the control elements associated 
with the cry p t o- sy s t em . 

The approach chosen is examined to establish the benefits from the 
implementation in comparison with potentially faster but less flexible 
techniques . 

1. BACKGROUND 

In 1985, TALUS Security, a division of British Telecom, approached 
RAANND SYSTEMS Ltd. to design, develop and manufacture, a high speed 
stream encryption device with an RSA key management procedure. 
Subsequently, the Government and Advanced Projects division of British 
Telecom adopted the idea and outlined an extension of the work to 
become a standard Telecom product for medium and high security line 
communications. This resulted in the product now known as LEKTOR. 
During the development program, the RSA implementation chosen was a 
hardware-assisted MC6809. It became apparent during the development 
that the implementation of the exponentiation could be the basis for a 
chip to implement a high-speed RSA device. Further development 
resulted in the design of a device which bore little resemblance to the 
original idea, being correspondingly faster and more silicon-efficient. 
Thus - THOMAS was an accident. 

2. WHY VLSI RSA? 

Before identifying strategies for the successful implementation of 
single chip modulus exponentiation functions, hereafter to be 
(erroneously) denoted by RSA, the question as to whether an RSA device 
is necessary or desirable must be considered. 

The RSA algorithm is now well-known, developing from original public 
key cryptographic methods, first published in [1 - Diffie, Hellman, 
1976]. The recognised version of the algorithm conventionally known as 
RSA is attributed to [2 - Rivest, Shamir, Adleman, 19781. Subsequent 
to this, variants using the same mathematical basis have been 
developed. As these still employ the exponentiation, any device 
fulfilling the requirements of the RSA public key algorithm 
automatically satisfies the related applications. Accordingly, the 
term RSA will also embrace variants that satisfy this criterion. 

The strength of an RSA system is based on the factorisation prob>lem 
associated with the product of large primes. Recent advances, 
including application of a technique known as the Quadratic Sieve [3 — 
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Caron, Silverman, 1986], have shown that factorisation of 80+ digits 
is now achieveable. These use networks of powerful devices, but still 
require approximately a month to complete the task., every additional 3 
digits approximately doubling the required period. This corresponds to 
256 bit (nominal) RSA key pairs. When RSA was first advocated, [2 
Rivest, Shamir, Adleman, 1978], 200 digits were suggested as having the 
desired security for the forseeable future, corresponding to nominally 
600 bits of RSA key pair. Thus, a solution embodying the range of 
security required, performs 256 to 512 bit operations. 

Thus the problem has been established; performing wide, repeated, 
multiplications and divisions, to achieve a useful operational 
application of the method. Where software routines have been 
implemented, except on powerful mini -compu t e r s , or hardware-assisted 
micro-computers, the times achieved for the computation have been poor. 
Typically, for 512 bit values of average density, an MC6809 requires 4 
minutes, an INT8086 70 seconds, and a MC68000 30 seconds. These 
performances are adequate for key management applications. Many have 
been implemented, but are less than satisfactory for fast 
authenticator s , rapid key changes using RSA as a transport mechanism, 
let alone for RSA stream encypherment . 

Furthermore, the requirements to perform the operation require the 
presence of a complete processor sub-system. This may be acceptable in 
applications where there is a requirement for substantial computing or 
processing elsewhere, but is an undesirable addition when the remaining 
requirements are trivial. Not surprisingly, a demand arose for VLSI 
implementations to achieve orders of magnitude improvement for 
applications of the nature outlined. 

Many papers and much research and development has been devoted to the 
production of techniques and devices to achieve such performance. 
These include [4 - Orton, Roy, Scott, Peppard, Tavares, 1986], [5 - 
Kochanski, 1985], [6 - Rivest, 1985], [7 - Roy, Tavares, Peppard, 
1985], [8 - Orton, Peppard, Tavares, 1986], and [9] - Scott, Tavares, 
Peppard, 1986], and [10 - Beth, Cook, Gollman, 1986]. However, 
ignoring material not in the public domain associated with hardware 
implementations of RSA, there are merely a handful of successful 
implementations, either known to the cryptographic world, or 
commercially available, albeit embedded in a commercial product. Even 
these devices, reflect a very recent success, for reasons outlined 
below. Apart from applications requiring the highest security, the 
motivation driving VLSI implementations has been cost and performance. 
The cost savings are reflected in the difference between the components 
to achieve a desired performance, and a device; the savings in power; 
and in real estate hence saving in manufacture and test times. 
Naturally, the savings are offset by the development costs, which in 
the past have tended to be very substantial. 

Notwithstanding the intense academic research associated with 
cryptography and the establishment of the DES standard, the techniques 
devised have not achieved the levels of adoption anticipated. This, in 
turn, has also reduced the interest in the commercial world to develop 
such devices. However, the advancement of money transfer in many areas 
and publicity for the success of hackers has rekindled the interest, 
generating the few RSA implementations that are now available. 

With the advent of high performance Digital Signal Processors, e.g. 
the TMS320 family, a compact, medium performance, device has become 
generally available for applications of the nature of RSA. NPL [11 - 
Clayden, 1985J has developed algorithms for the TMS32010 which now 
execute a 512 bit operation in nominally 2.5 seconds. This has 
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subsequently been enhanced, [12 - Barrett, 1984] and [13 - Barrett, 
1986], to typically 1.5 sreconds. With further DSP devices appearing on 
the market, with progressively higher performance, this might appear to 
detract from the need for VLSI purpose-designed devices. However, 
whilst such devices give high performance results, these devices 
consume substantial power, and require additional circuitry and devices 
to implement the operation. Furthermore, whilst intrinsically flexible 
by the nature of the algorithm implementation, the device physically is 
inflexible, and may not be implemented in differing forms to suit 
particular applications. 



Summing up, the climate, 
devices now coincide! 



the technology, and the need for RSA VLSI 



3. MATHEMATICAL FUNCTIONALITY 

The device is required to execute the two functions :- 

A « B * C mod N 
and 

A = B ** C mod N 

The conventional usage of the exponentiator is associated with RSA key 
management operations. However, the device also acts as a high— speed 
multiplier, with or without modulus correction, for general processing 
requirements . 

k. HISTORIC FAILURE 

There have been many attempts to produce devices that perform a 
high-performance exponentiation function. There have been almost as 
many failures. These failures may be attributed to the following 
reasons : - 

Exceeding available technology, 
Exotic implementation mechanisms, 
Ambitious requirements. 

Each of these reasons tends to overlap certain areas of the other. 

Despite the rapid advances in semiconductor technology, only recently 
have VLSI chips of 100,000 transistors plus become readily available, 
particularly to commercial organisations, where yield and cost have 
been fundamental to the application. Accordingly, the technology for 
useful implementations has only become available within the space of 
the last two years. (By useful, the effective bit width of such a 
device or concatenation of devices is presumed to be substantially 
greater than 256, typically 512, as above.) 

Secondly, the repercussions of the necessity of large bit widths 
produces a desire to find techniques that overcome the square- or 
cube-law deterioration in performance as the bit widths increase. 
These techniques inevitably demand greater areas of silicon, increased 
power, and poorer yields. 



Finally, the poor performance of the software solutions with the need 
for high-speed solutions has tended to project higher speed 
requirements on the device. Thus, where key management functions have 
been the goal, the need for very fast implementations is generally 
unnecessary. 
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5. THE LESSONS OF HISTORY 



Wich hindsight, ic is the case that demands were made for performance 
that outstripped the available capabilities. With the substantial 
improvements in technology, performance requirements may be achieved by 
less elegant techniques, permitting a wider flexibility. Thus, 
considering the three reasons for past failures, the goals may be 
redefined as follows:- 



Assume current technology, 
Use old and tried mechanisms, 
Limit performance. 



With the ability to use more transistors on a silicon die, use the 
largest number available commensurate with desired unit cost. Under 
these circumstances, the yield may be ignored, with ammo r t i sa t ion of 
all losses against the acceptable figure. 



The RSA algorithms are well known and the requirements for 
multiplication arid modulus division or reduction are well known. 
Techniques for the execution of these tasks are available for small 
numbers of bits or groups that are effective and undemanding. If the 
resultant device, compromised by such unsophisticated techniques, 
achieves an adequate performance, accept the limitations. 



As an overall strategy, set a lower limit on performance that achieves 
the desired end. 



These decisions are all, of course, self evident. Equally, if these 
targets had been implemented, there would have been RSA devices of a 
single chip form available for some time, giving a performance of 
typically 512 bit full exponentiation with 512 bit data and modulus of 
10 seconds, well in advance of the DSP devices. Whilst such 
performance could not be deemed electric, it has only recently been 
overtaken by the high-performance Data Signalling Processors (DSP) and 
with a number of associated components (see above). 



These represent a basic set of criteria to produce a device. However, 
to these may be added a further set of requirements that will be shown 
to complement the criteria, producing a technology component that is 
flexible for many implementations. 



6. IMPLEMENTATION FUNCTIONALITY 

The device, known by the internal project code THOMAS, is a complete 
single chip RSA implementation. "Completeness" was declared to be the 
complete absence of any other device to perform the RSA computation. 
Of necessity. there would be other devices to produce a cry p to- sy s tem 
of the desired complexity, but not associated with the mathematical 
operation. In addition, the following criteria were dictated for such 
a device. 



A restriction on the architecture was decreed to ensure an organisation 
suitable for adequate testing and simulation before committment to 
silicon, and ATE testing at a wafer level before encapsulation to a 
high degree of reliability. This architecture was required to exhibit 
a high degree of flexibility, preferably at the silicon compiler stage, 
to permit a family of related devices to be produced easily, 
efficiently, and inexpensively. This results in an implementation that 
supports any (reasonable) inte.rnal bit width without encroaching on 
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the effective bit size of the machine, as perceived by the user or the 
local processor. 

In order to comply with minimal systems, interface characteristics were 
required to satisfy modern usage, the de facto industry standards. 

The packaging options were to be as wide as possible, but offering a 
choice from very compact (e.g. surface-mount or bonding) to more 
conventional DIP standards as required. 

The design and quality programs were to satisfy both commercial and 
military standards, if possible. 

The implementation be chosen to minimise design time, and risk. This 
included the simplification of simulation, and the guarantee of a fully 
operational working device, first time. 



7. APPLICATIONS 



Z'i KEY MANAGEMENT - LINE SECURITY 

RAANND SYSTEMS Ltd., and BRITISH TELECOM, have a series of high 
performance DES and B-CRYPT stream encryptors for low to high 
performance line security applications. The use of THOMAS reduces 
power consumption, real estate, and minimises overheads associated with 
certification, session key exchanges, and subsequent establishment of 
further session keys at high frequency. These applications require the 
256 to 512 bit effective widths. 



2.2 SMARTish CARD 

The virtues of authentication and key management apply equally well to 
areas associated with "SMART cards or intelligent tokens. There are 
generally restrictions on the number of devices that may be 
accommodated within a flexible, thin, carrier. However, the security 
requirements may be even greater, with the portability of the medium. 
Accordingly, the technology of THOMAS may be used to produce an 
internal 8-bit or even 4-bit architecture where silicon area is 
limited, thereby permitting the incorporation of EEPROM, RAM, and 
processor on the same silicon die. 



7.3 STREAM ENCRYPTION 



Although typical applications of RSA have not included stream 
enc y p he rmen t , such usage offers a highly secure line, even at 512 bit. 
With the chosen architecture, ready expansion to 1024 bit effective bit 
width is immediately available. Alternately, the internal bit width 
may be increased from 64 bits to 128 or other useful values, giving an 
immediate linear increase in performance. 

7_.4 CONCATENATION 

Where speed requirements or security levels are variable, the same 
architecture may be used as a slice of the desired word length, but 
effectively increasing the internal bit width. 
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8. THOMAS IMPLEMENTATION 

THOMAS employs 4 kilobits of RAM / REGISTER storage to hold the 
following 512 bit (max) parameters : - 

Key, Modulus, Data, Result, 
and 4 work, variables. 

The internal structure is based on a 64-bit width, hence the RAM is 
organised as 64 words of 64 bits. 

All ALU functions are based on a 64-bit width operation. 

The core of the device employs 5000 standard cells, organised as ALUs, 
registers, multiplexors, and control logic. This is supported by an 
integrated RAM array, 64 words x 64 bits. The die is nominally 16mm x 
1 6mm . 

All I/O is controlled via 16 con t ro 1 / s ta tus and buffer port registers, 
with automatic internal destination computation performed transparently 
to the user. As the internal bit width is 64 bits, THOMAS may be 
configured via the control register to function in multiples of 64 bit 
slices. Where the data lengths are high, e.g. 512 bits, but the key 
is small, e.g. 2 to 8 bits, a key length register may be loaded with 
the significant length of the key to over-ride the default execution 
time, the algorithm and hence the implementation being wholly 
symmetric . 

Consistent with the desire to minimise external circuitry, an. on-board 
oscillator produces the nominal 20 MHz clock, though external crystal 
control is permitted. This, in turn, is used to generate lower 
frequency clocks to drive associated circuitry. 

Although the RSA implementation itself has no need for a random number 
generator, two on-board generators are provided, white noise and a 
pseudo-random shift register generator, which provides a random output 
for other uses in a system, via a status register and at package pin. 

The operation restores all parameters to the initial state, thereby 
permitting further data to execute with the same modulus and key, or 
new data with the same modulus and a newly loaded key. 

All I/O is performed on a byte or word-wide basis, user selected or pin 
configured, with pin configuration of READ / WRITE and ENABLE operation 
to suit INTEL or MOTOROLA buses. 

The implementation produces a cubic relationship for encryption / 
decryption times. Thus, for a full 512 bit exponentiation with a 512 
bit key, the device typically produces the result in 750 milliseconds 
seconds, whereas a 256 bit x 256 takes 98 milliseconds. 
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9. THOMAS APPLICATIONS 



The device has immediate applications in products that employ RSAkey 
management. It offers substantial savings in power consumption, 
volume, and costs. If this were its only application area, this would 
be substantial. However, the value of the device is the demonstration 
of a powerful solution, which, by virtue of its internal architcture, 
lends itself to a series of wider applications. 



9.1 HIGH-SPEED RSA 

Although THOMAS is an ASIC, using standard celss, simply by increasing 
expenditure and development time, a full-custom device could have been 
fabricated. This remains as an opportunity for either wider internal 
architectures for higher performance, or with the same basic 
implementation, a smaller silicon area and reduced power dissipation, 
with a nominal performance improvement. 

9.2 INTEGRATION 



The architecture chosen is based on an internal 64-bit wide path. Any 
linear multiple, based on powers of 2, offers scope to reduce the 
performance and hence decrease throughput linearily. Accordingly, an 
8-bit wide pathway increases the execution time by 64/8. 
Simultaneously, this reduces the core and control logic requirements by 
approximately 1/6, thereby permitting the introduction of additional 
components, e.g. E E PROM , ROM, RAM, and a small processor. This offers 
a high performance single chip key management system and encryptor, 
ideally suited for SMART-type card applications, battery operated 
and/or hand-helded devices, or similar applications. 



10. CONCLUSION 



THOMAS is the first of a family of devices that embody an RSA 
exponentiation facility for a wide range of applications. The 
availability of this feature permits the ready incorporation of secure 
key management in all areas of privacy and high security, with 
performance as required. 
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